krb5-1.6.1 problems (on RedHat) (was: AS_REQ Return code 60 for principal expired?)
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Jan 13 13:29:21 EST 2009
>Now I'm having another problem with my 1.6.1 (RedHat Linux) test KDC. It
>seems that if I set the REQUIRES_PWCHANGE attribute for a principal and
>try to authenticate with an invalid password, I get back a return code of
>31 ('decrypt integrity check failed'), instead of a 23 (password expired).
>The KDC log actually shows 'REQUIRED PWCHANGE' in the reply to the AS_REQ,
>yet I'm still getting a return code of 31!
>
>(My code depends on the RC=23 to verify that the REQUIRES_PWCHANGE
>attribute is, in fact, set. This code has been running successfully for
>years on earlier KDC versions, 1.4.2 currently, though not on Linux
>systems).
Dude,
May I humbly suggest that maybe, just maybe, for something like you KDC
you NOT rely on some pre-compiled binary compiled by god-knows-who with
god-knows-what options? Judging by what you're posting, something seems
to be majorly wrong here ... at least with error reporting.
(And at the very least, you could always compile with debugging turned on
to try to track down the problem).
--Ken
More information about the Kerberos
mailing list