Unexpected return codes from KDC -- krb5-1.6.3
Tom Yu
tlyu at MIT.EDU
Thu Jan 29 16:23:28 EST 2009
Mike Friedman <mikef at berkeley.edu> writes:
> This is a 'sequel' to my earlier postings about getting bad return codes
> from the KDC. However, I've moved from a binary Linux distribution to a
> FreeBSD port of MIT Kerberos and my symptoms are a bit different, so I'm
> starting a new thread.
>
> My problem is this:
>
> I'm using programs based on the MIT API to do authentication, via
> get_in_tkt_with_password (or get_in_tkt_with_keytab), krb5_mk_req,
> krb5_rd_req. (This is perl code using the Authen::Krb5 module, which I've
> been running for a couple of years on my production 1.4.2 system).
The get_in_tkt APIs are deprecated in favor of the get_init_creds
APIs. I know that this fact is probably not well-documented.
> If I have a principal that has any of the following set, then, even if I
> supply the correct password, I get back a return code of 31 (decrypt
> integrity check), instead of the more specific return code that would
> correspond to the specific situation:
>
> CLIENT_NOT_FOUND
> CLIENT EXPIRED
> REQUIRED PWCHANGE
> CLIENT KEY EXPIRED
>
> But if none of the above is true, then my authentication succeeds (RC=0)
> if I supply the correct password, and fails with the expected RC=31 if I
> enter an invalid password.
What error shows up in the KDC logs during those failure conditions?
More information about the Kerberos
mailing list