Unexpected return codes from KDC -- krb5-1.6.3

Mike Friedman mikef at berkeley.edu
Thu Jan 29 17:23:50 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 29 Jan 2009 at 17:09 (-0500), Tom Yu wrote:

> Mike Friedman <mikef at berkeley.edu> writes:
>
>>    CLIENT KEY EXPIRED: mikef at BERKELEY.EDU for krbtgt/BERKELEY.EDU at BERKELEY.EDU, Password has expired
>>
>> As I said in my later note, it's not just my API code that's reflecting 
>> the wrong return code.  Even kinit tells me 'Password incorrect while 
>> getting initial credentials', though I did enter the correct password. 
>> And (as I also mentioned, for what it might be worth), the KDC is not 
>> even doing the REQUIRES_PREAUTH exchange in these cases.
>
> Are you getting a "password incorrect" error from kinit when the KDC 
> logs the "CLIENT KEY EXPIRED" message above?  If you are getting the 
> incorrect error code out of kinit as well, I was unable to reproduce 
> that.

Tom,

Yes, when the KDC says 'CLIENT KEY EXPIRED', kinit says 'Password incorrect'.

> Which release are you getting the kinit program from?  And which release 
> are you using for the library for the program you wrote?  What does 
> "getprinc" show for the principal when you have set it up to produce 
> this failure condition?

Previously, I was using a 1.4.2 kinit remotely.  But I just tried 1.6.3 
kinit on the same 1.6.3 KDC itself and also got a 'Password incorrect' 
message. Also, as for my API program, I actually tried with a version that 
was built with 1.4.2 and one built with an older MIT version.

But the fact that kinit seems to be acting the same way would appear to be 
the significant point.

Here's what getprinc shows:

    kadmin.local:  getprinc mikef
    Principal: mikef at BERKELEY.EDU
    Expiration date: [never]
    Last password change: Tue Jan 27 14:41:56 PST 2009
    Password expiration date: Wed Jan 28 11:00:16 PST 2009
    Maximum ticket life: 0 days 10:00:00
    Maximum renewable life: 7 days 00:00:00
    Last modified: Thu Jan 29 11:00:16 PST 2009 (root/admin at BERKELEY.EDU)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 4
    Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
    Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
    Key: vno 1, ArcFour with HMAC/md5, no salt
    Key: vno 1, DES cbc mode with CRC-32, no salt
    Attributes: REQUIRES_PRE_AUTH
    Policy: [none]

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkmCLHcACgkQFgKSfLOvZ1T+4wCfX4zvBA0GZVx23A4GqtU5vVRZ
OFQAoIEEAoAHs/z32QH76PtkkdaGnUtq
=n1uq
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list