kinit-1.7: wrong passwords lock active directory accounts

Greg Hudson ghudson at MIT.EDU
Wed Oct 7 12:45:44 EDT 2009


On Wed, 2009-10-07 at 10:04 -0400, Mark Pröhl wrote:
> # kinit user
> Password for user at MYDOMAIN.EXAMPLE:  <wrong password>
> kinit: Looping detected inside krb5_get_in_tkt while getting initial
> credentials

That's definitely not supposed to happen.  Against an MIT KDC, I see
only one try, followed by:

  kinit: Password incorrect while getting initial credentials

However, we do have at least one other report of looping with krb5 1.7's
kinit:

  http://mailman.mit.edu/pipermail/kerberos/2009-September/015265.html

so there is probably an interoperability issue against AD.  I will see
if I can replicate the issue; if I can't, a detailed packet trace from
you might be sufficient.





More information about the Kerberos mailing list