Unexpected return codes from KDC -- krb5-1.6.3 -- SOLVED

Mike Friedman mikef at berkeley.edu
Sat Jan 31 02:25:36 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Tom,

Well, I figured out the cause of my problem with misleading return codes. 
It turns out to have been caused by a simple misconfiguration, based on my 
own ignorance and an oversight.

It seems that somewhere along the way, over the years, I overlooked the 
correspondence on this list concerning the 'master_kdc' parameter in 
krb5.config.  So, all along, I've been assuming it's an optional parameter 
which is really useful only if you have more than one KDC and want clients 
to retry the master when certain authentication errors occur.

The krb5.conf file I've been using to point to our test KDC was missing 
the 'master_kdc' parameter, even though my production krb5.conf has had it 
all along.  This was the oversight on my part when I created the test 
krb5.conf.

In our test (1.6.3) environment, we currently have only one KDC set up, so 
it never occurred to me that 'master_kdc' would make any difference.  (Of 
course, we will be adding secondary KDCs later).

However we also have a '_kerberos-master._udp...' SRV record defined in 
the DNS, pointing, of course, to our *production* KDC.  My remote client 
uses the default of falling through to DNS, whereas the krb5.conf on the 
KDC itself turns that setting off.  This, I guess, is why kinit has been 
working on the KDC, but not on my client.

With no master_kdc in the config file or in DNS, and no secondary KDC 
anyway, it appears the correct errors were getting reflected back to the 
KDC's kinit. Whereas my remote client was falling through to the 
production KDC, where the passphrase I was entering for a principal in the 
test KDC would always be incorrect ('decrypt integrity check').

I verified the above by noticing that my production KDC logs show decrypt 
integrity failures every time I would enter the 'correct' password for the 
test KDC principal.  The test KDC log would say 'CLIENT KEY EXPIRED', but 
then I'd fall through to the production KDC and get the invalid password 
error.

So, having fixed my test krb5.conf file, kinit and my API program both 
work properly.

Sorry for making this all seem more obscure than it turned out to be and 
thanks for your help in ruling out certain possibilities.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkmD/PAACgkQFgKSfLOvZ1QmRACfcS6Egh+JiNxc4BMOqVEt+TcT
3q8An1ywXxlXfHchzVle4pbzy3D9tAYV
=OQcM
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list