AS_REQ Return code 60 for principal expired?

Mike Friedman mikef at berkeley.edu
Mon Jan 12 19:38:53 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 19 Dec 2008 at 14:35 (-0500), Tom Yu wrote:

> Mike Friedman <mikef at berkeley.edu> writes:
>
>> I've been doing some testing of my programs that use the MIT API 
>> against a KDC running 1.6.1 on a Linux system.  On all prior systems 
>> where I've run a KDC, and according to the Kerberos docs, a principal 
>> expired condition should set a return code of 1.  But on this test 
>> system, it seems I'm getting back a 60, which the docs define as a 
>> 'generic error'.
>
> I am unable to reproduce this condition.  Is the krb5-1.6.1 KDC possibly 
> built using the --with-vague-errors option?

Tom,

Sorry for the delayed reply;  I was on vacation for 3 weeks during the 
holiday period.

I just ran a simple test, with my perl program that uses the MIT API for 
authentication.  The results are very simple:

1.  If the principal has not expired, authentication succeeds.

2.  If the principal has expired, I get this error message from the KDC, 
specifically when I'm doing a krb5_mk_req:

     Generic error (see e-text)

and a return code of 60.

In the KDC log, for a failure, I see the following:

  In response to the AS_REQ:
    CLIENT EXPIRED: mikef at BERKELEY.EDU for krbtgt/BERKELEY.EDU at BERKELEY.EDU, Client's entry in database has expired

  From the krb5_mk_req attempt:
    PROCESS_TGS: authtime 0,  <unknown client> for krbproxy/oldsage.berkeley.edu at BERKELEY.EDU, No matching key in entry

Yet, if the principal is not expired, I get this:

  In response to the AS_REQ:
    ISSUE: authtime 1231806450, etypes {rep=1 tkt=18 ses=1}, mikef at BERKELEY.EDU for krbtgt/BERKELEY.EDU at BERKELEY.EDU

  Followed by,
    ISSUE: authtime 1231806450, etypes {rep=1 tkt=18 ses=1}, mikef at BERKELEY.EDU for krbproxy/oldsage.berkeley.edu at BERKELEY.EDU

i.e., success, which seems to imply that my service keytab is set up OK.

Unfortunately, this KDC was installed using a RedHat Linux
pre-compiled RPM binary of MIT krb5-1.6.1, by someone other than me, so I 
can't answer your question about the '--with-vague-errors' option (which I 
had never heard of).

Any ideas?

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAklr4p0ACgkQFgKSfLOvZ1Qf+QCdGwedutT07DtCAj8L5j8XCh/Y
ptMAn2o3L2IukGvda9m+hgHgzjn6YJ7/
=4yFG
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list