kadmin problem

Marcus Watts mdw at umich.edu
Tue Feb 20 05:01:39 EST 2007


> Hi Marcus,
> 
> When i use 
> 
> <modprinc -requires_preauth>
> 
> Then try to kinit <user>
> it prompts incorrect password
> then i should change the password so that it works, but i guess upon changing the password
> the princ is being modified again... thus i guess that the
> -requires_preauth  isnt set anymore...
> Can you please advise me how to make this work since kdc.log is still showing Preauthentication failed
> 
> Thanks,
> Scotty

cpw should not change REQUIRES_PRE_AUTH .

When you do "getprinc", is that bit set?

If it is, you should figure out what's happening between modprinc and
the database.  modprinc should be able to turn that bit off.  If you
can't get modprinc to turn that bit off, then your copy of kadmin.local
is doing odd stuff.  It might be gdb time, if you have source to
whatever you're running.

If it's not set, and you still get "preauthentication failed" in the
log, then perhaps your kdc & your kadmin.local aren't seeing the same
database.  This would be hard to do, but not impossible; you can use
"lsof" on your running kdc & kadmin.local to see what they're each
looking at.  You might try restarting things if they're looking at
different stuff.  Another possibility is that your kinit binary is
trying to initiate preauth.  This can be best diagnosed by analyzing
the packet traffic; see previous mail for how to do that.  Otherwise
your kdc has very odd ideas about what to do with what's in the
database.  It might be gdb time, if you have source to whatever you're
running.  Knowing what's in the packet traffic will help focus your
gdb efforts; you'll want to pay particular attention to the padata
elements.

Two other things you could try:

Pick an unused principal name, do "ank -randkey <principal>" followed
by "cpw <principal>".  That should create a principal that does not
have REQUIRES_PRE_AUTH set, even if your kdc.conf requires that preauth
be turned on.

Edit ... kdc.conf and see if there are lines that read
"default_principal_flags = +preauth" or some such.  If you see these,
comment them out, stop & start all k5 services, & retry what you did.

				-Marcus Watts



More information about the Kerberos mailing list