Unexpected return codes from KDC -- krb5-1.6.3
Tom Yu
tlyu at MIT.EDU
Thu Jan 29 17:09:34 EST 2009
Mike Friedman <mikef at berkeley.edu> writes:
>> What error shows up in the KDC logs during those failure conditions?
>
> One example is this:
>
> CLIENT KEY EXPIRED: mikef at BERKELEY.EDU for krbtgt/BERKELEY.EDU at BERKELEY.EDU, Password has expired
>
> As I said in my later note, it's not just my API code that's reflecting
> the wrong return code. Even kinit tells me 'Password incorrect while
> getting initial credentials', though I did enter the correct password.
> And (as I also mentioned, for what it might be worth), the KDC is not even
> doing the REQUIRES_PREAUTH exchange in these cases.
Are you getting a "password incorrect" error from kinit when the KDC
logs the "CLIENT KEY EXPIRED" message above? If you are getting the
incorrect error code out of kinit as well, I was unable to reproduce
that.
Which release are you getting the kinit program from? And which
release are you using for the library for the program you wrote? What
does "getprinc" show for the principal when you have set it up to
produce this failure condition?
More information about the Kerberos
mailing list