Unexpected return codes from KDC -- krb5-1.6.3

Mike Friedman mikef at berkeley.edu
Fri Jan 30 11:46:51 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom,

I have a correction to my last note to you:

On Thu, 29 Jan 2009 at 14:50 (-0800), Mike Friedman wrote:

> With 1.6.3 kinit, without REQUIRES_PREAUTH, I now get the expected 
> message:
>
>    Password expired.  You must change it now.
>
> However, with 1.4.2 kinit and with my API program built with earlier MIT 
> libraries, I still get 'Password incorrect while getting initial 
> credentials' from kinit and RC=31, 'decrypt integrity check' from my 
> program.

Actually, here's the situation:

1.  Even *with* REQUIRES_PREAUTH, kinit on the KDC behaves correctly.

2.  With or without REQUIRES_PREAUTH, kinit on my remote client still 
insists on returning 'Password incorrect', even when I enter the correct 
password.

3.  My remote client kinit is *also* at the 1.6.3 level!

So REQUIRES_PREAUTH doesn't appear to be the issue either.

Number 3 above is what's really surprising.  In fact, even the OS on the
client is the same (though a different release) as that on the KDC:

  Client:  FreeBSD 6.3-RELEASE
  KDC:     FreeBSD 7.0-RELEASE-p5

Also, here's some additional information:  on the KDC, MIT Kerberos
was built (using the FreeBSD port) as follows:

    ./configure --enable-shared --without-krb4 CPPFLAGS=-I/usr/local/include
    -L/usr/local/lib --prefix=/usr/local --mandir=/usr/local/man
    --infodir=/usr/local/info/ amd64-portbld-freebsd7.0

whereas on my FreeBSD client, I built from the MIT distribution, like this:

    ./configure CPPFLAGS=-DEAI_NODATA=EAI_NONAME --prefix=/usr/local/krb5-1.6.3

The latter was done quite a while ago and I believe I used the above 
CPPFLAGS on recommendation from someone on this list because of problems I 
was having otherwise (which I, unfortunately, can't recall).

I don't know if any of this helps.  But right now it appears that the 
problem occurs only when I try authentication from either of two remote 
clients, but not on the KDC itself.

Thanks for any help you can provide on this.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkmDLvsACgkQFgKSfLOvZ1Sl8gCdHGGnUwh7KvhAeZvUVwqB5p9K
Z+8AmQGR28r4ZwFXVZQh/5xVch7MtOpf
=YNs8
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list