Unexpected return codes from KDC -- krb5-1.6.3

Mike Friedman mikef at berkeley.edu
Tue Jan 27 18:53:33 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a 'sequel' to my earlier postings about getting bad return codes 
from the KDC.  However, I've moved from a binary Linux distribution to a 
FreeBSD port of MIT Kerberos and my symptoms are a bit different, so I'm 
starting a new thread.

My problem is this:

I'm using programs based on the MIT API to do authentication, via 
get_in_tkt_with_password (or get_in_tkt_with_keytab), krb5_mk_req, 
krb5_rd_req. (This is perl code using the Authen::Krb5 module, which I've 
been running for a couple of years on my production 1.4.2 system).

If I have a principal that has any of the following set, then, even if I 
supply the correct password, I get back a return code of 31 (decrypt 
integrity check), instead of the more specific return code that would 
correspond to the specific situation:

   CLIENT_NOT_FOUND
   CLIENT EXPIRED
   REQUIRED PWCHANGE
   CLIENT KEY EXPIRED

But if none of the above is true, then my authentication succeeds (RC=0) 
if I supply the correct password, and fails with the expected RC=31 if I 
enter an invalid password.

This is krb5-1.6.3 on FreeBSD.

In reply to one of my earlier postings, Tom Yu said the following:

> I am unable to reproduce this condition.  Is the krb5-1.6.1 KDC possibly 
> built using the --with-vague-errors option?

Looking through the (now 1.6.3) build tree, I see no indication that 
'--with-vague-errors' is being specified as an override.  In 
src/configure, it appears to be specified by default, but I think that is 
my own misunderstanding of the configure file, because my production KDC 
(1.4.2) src/configure looks exactly the same in this regard and I don't 
get this behavior there.

My symptoms seem very much consistent with the presumed meaning of 
'--with-vague-errors', but I have the problem only on 1.6.3, yet it 
appears that neither system is compiled with that option.

Is it possible that 1.6.3 defaults to '--with-vague-errors', unlike 1.4.2? 
More specifically, how can I be sure whether that option was specified at 
compile time?

Thanks for any suggestions.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkl/nn0ACgkQFgKSfLOvZ1R+MACePCkn5lhhT+ksuV4KQ4NLbqa2
BY4AnAliAZLXvkAEEu+TI0LwgXQD0Vs4
=OPL9
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list