Unexpected return codes from KDC -- krb5-1.6.3
Mike Friedman
mikef at berkeley.edu
Thu Jan 29 16:43:06 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 29 Jan 2009 at 16:23 (-0500), Tom Yu wrote:
> The get_in_tkt APIs are deprecated in favor of the get_init_creds APIs.
> I know that this fact is probably not well-documented.
Tom,
Yes, I've been aware of this for some time. Unfortunately, my code is
several years old and I've not had a chance to upgrade it.
Anyway, by now you've probably seen my subsequent note that, I hope, helps
clarify the actual situation with return codes.
>> If I have a principal that has any of the following set, then, even if
>> I supply the correct password, I get back a return code of 31 (decrypt
>> integrity check), instead of the more specific return code that would
>> correspond to the specific situation:
>>
>> CLIENT_NOT_FOUND
>> CLIENT EXPIRED
>> REQUIRED PWCHANGE
>> CLIENT KEY EXPIRED
>>
>> But if none of the above is true, then my authentication succeeds
>> (RC=0) if I supply the correct password, and fails with the expected
>> RC=31 if I enter an invalid password.
>
> What error shows up in the KDC logs during those failure conditions?
One example is this:
CLIENT KEY EXPIRED: mikef at BERKELEY.EDU for krbtgt/BERKELEY.EDU at BERKELEY.EDU, Password has expired
As I said in my later note, it's not just my API code that's reflecting
the wrong return code. Even kinit tells me 'Password incorrect while
getting initial credentials', though I did enter the correct password.
And (as I also mentioned, for what it might be worth), the KDC is not even
doing the REQUIRES_PREAUTH exchange in these cases.
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mikef at berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://mikef.berkeley.edu http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkmCIuoACgkQFgKSfLOvZ1Rk+wCfRLoafDZwTlYOtEi4UKm45CZq
FDwAn1azP4Faaf78r8zKOQM0PVlWdB6r
=SWgA
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list