Unexpected return codes from KDC -- krb5-1.6.3

Mike Friedman mikef at berkeley.edu
Thu Jan 29 16:43:06 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 29 Jan 2009 at 16:23 (-0500), Tom Yu wrote:

> The get_in_tkt APIs are deprecated in favor of the get_init_creds APIs. 
> I know that this fact is probably not well-documented.

Tom,

Yes, I've been aware of this for some time.  Unfortunately, my code is 
several years old and I've not had a chance to upgrade it.

Anyway, by now you've probably seen my subsequent note that, I hope, helps 
clarify the actual situation with return codes.

>> If I have a principal that has any of the following set, then, even if 
>> I supply the correct password, I get back a return code of 31 (decrypt 
>> integrity check), instead of the more specific return code that would 
>> correspond to the specific situation:
>>
>>    CLIENT_NOT_FOUND
>>    CLIENT EXPIRED
>>    REQUIRED PWCHANGE
>>    CLIENT KEY EXPIRED
>>
>> But if none of the above is true, then my authentication succeeds 
>> (RC=0) if I supply the correct password, and fails with the expected 
>> RC=31 if I enter an invalid password.
>
> What error shows up in the KDC logs during those failure conditions?

One example is this:

   CLIENT KEY EXPIRED: mikef at BERKELEY.EDU for krbtgt/BERKELEY.EDU at BERKELEY.EDU, Password has expired

As I said in my later note, it's not just my API code that's reflecting 
the wrong return code.  Even kinit tells me 'Password incorrect while 
getting initial credentials', though I did enter the correct password. 
And (as I also mentioned, for what it might be worth), the KDC is not even 
doing the REQUIRES_PREAUTH exchange in these cases.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkmCIuoACgkQFgKSfLOvZ1Rk+wCfRLoafDZwTlYOtEi4UKm45CZq
FDwAn1azP4Faaf78r8zKOQM0PVlWdB6r
=SWgA
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list