kinit-1.7: wrong passwords lock active directory accounts
Greg Hudson
ghudson at MIT.EDU
Wed Oct 7 12:45:44 EDT 2009
On Wed, 2009-10-07 at 10:04 -0400, Mark Pröhl wrote:
> # kinit user
> Password for user at MYDOMAIN.EXAMPLE: <wrong password>
> kinit: Looping detected inside krb5_get_in_tkt while getting initial
> credentials
That's definitely not supposed to happen. Against an MIT KDC, I see
only one try, followed by:
kinit: Password incorrect while getting initial credentials
However, we do have at least one other report of looping with krb5 1.7's
kinit:
http://mailman.mit.edu/pipermail/kerberos/2009-September/015265.html
so there is probably an interoperability issue against AD. I will see
if I can replicate the issue; if I can't, a detailed packet trace from
you might be sufficient.
More information about the Kerberos
mailing list