kinit-1.7: wrong passwords lock active directory accounts

Mark Pröhl mark at mproehl.net
Wed Oct 7 10:04:53 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I noticed a problem with kinit form krb-1.7.  In case of a wrong
password, kinit tries up to 8 times to get initial credentials.
This happens if the KDC is an active directory controller:

# kinit user
Password for user at MYDOMAIN.EXAMPLE:  <wrong password>
kinit: Looping detected inside krb5_get_in_tkt while getting initial
credentials

Wireshark shows the following sequence:

   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED

This leads to a problem if account lookout policies are enabled.
Users get locked out after entering just one wrong password:

# kinit user
Password for user at MYDOMAIN.EXAMPLE: <wrong password>
kinit: Clients credentials have been revoked while getting initial
credentials
#

   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
NTATUS_ACCOUNT_LOCKED_OUT


My active directory is a win2k3-r2.

My /etc/krb5.conf looks like this:

   [libdefaults]
        default_realm = MYDOMAIN.EXAMPLE
   [realms]
        MYDOMAIN.EXAMPLE  = {
           kdc = 10.10.10.26
        }


Is there an option to prevent kinit from looping?

Regards,

Mark Pröhl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J
nngAnie9sNg/bimKdKYmKTDWLuBC3meD
=tusl
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list