Unexpected return codes from KDC -- krb5-1.6.3
Mike Friedman
mikef at berkeley.edu
Fri Jan 30 11:46:51 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom,
I have a correction to my last note to you:
On Thu, 29 Jan 2009 at 14:50 (-0800), Mike Friedman wrote:
> With 1.6.3 kinit, without REQUIRES_PREAUTH, I now get the expected
> message:
>
> Password expired. You must change it now.
>
> However, with 1.4.2 kinit and with my API program built with earlier MIT
> libraries, I still get 'Password incorrect while getting initial
> credentials' from kinit and RC=31, 'decrypt integrity check' from my
> program.
Actually, here's the situation:
1. Even *with* REQUIRES_PREAUTH, kinit on the KDC behaves correctly.
2. With or without REQUIRES_PREAUTH, kinit on my remote client still
insists on returning 'Password incorrect', even when I enter the correct
password.
3. My remote client kinit is *also* at the 1.6.3 level!
So REQUIRES_PREAUTH doesn't appear to be the issue either.
Number 3 above is what's really surprising. In fact, even the OS on the
client is the same (though a different release) as that on the KDC:
Client: FreeBSD 6.3-RELEASE
KDC: FreeBSD 7.0-RELEASE-p5
Also, here's some additional information: on the KDC, MIT Kerberos
was built (using the FreeBSD port) as follows:
./configure --enable-shared --without-krb4 CPPFLAGS=-I/usr/local/include
-L/usr/local/lib --prefix=/usr/local --mandir=/usr/local/man
--infodir=/usr/local/info/ amd64-portbld-freebsd7.0
whereas on my FreeBSD client, I built from the MIT distribution, like this:
./configure CPPFLAGS=-DEAI_NODATA=EAI_NONAME --prefix=/usr/local/krb5-1.6.3
The latter was done quite a while ago and I believe I used the above
CPPFLAGS on recommendation from someone on this list because of problems I
was having otherwise (which I, unfortunately, can't recall).
I don't know if any of this helps. But right now it appears that the
problem occurs only when I try authentication from either of two remote
clients, but not on the KDC itself.
Thanks for any help you can provide on this.
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mikef at berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://mikef.berkeley.edu http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkmDLvsACgkQFgKSfLOvZ1Sl8gCdHGGnUwh7KvhAeZvUVwqB5p9K
Z+8AmQGR28r4ZwFXVZQh/5xVch7MtOpf
=YNs8
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list