kinit-1.7: wrong passwords lock active directory accounts

Luke Howard lhoward at MIT.EDU
Wed Oct 7 12:37:39 EDT 2009


Mark,

Are you able to test whether this still occurs with trunk?

regards,

-- Luke

On 07/10/2009, at 4:04 PM, Mark Pröhl wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I noticed a problem with kinit form krb-1.7.  In case of a wrong
> password, kinit tries up to 8 times to get initial credentials.
> This happens if the KDC is an active directory controller:
>
> # kinit user
> Password for user at MYDOMAIN.EXAMPLE:  <wrong password>
> kinit: Looping detected inside krb5_get_in_tkt while getting initial
> credentials
>
> Wireshark shows the following sequence:
>
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>
> This leads to a problem if account lookout policies are enabled.
> Users get locked out after entering just one wrong password:
>
> # kinit user
> Password for user at MYDOMAIN.EXAMPLE: <wrong password>
> kinit: Clients credentials have been revoked while getting initial
> credentials
> #
>
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>   AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
> NTATUS_ACCOUNT_LOCKED_OUT
>
>
> My active directory is a win2k3-r2.
>
> My /etc/krb5.conf looks like this:
>
>   [libdefaults]
>        default_realm = MYDOMAIN.EXAMPLE
>   [realms]
>        MYDOMAIN.EXAMPLE  = {
>           kdc = 10.10.10.26
>        }
>
>
> Is there an option to prevent kinit from looping?
>
> Regards,
>
> Mark Pröhl
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J
> nngAnie9sNg/bimKdKYmKTDWLuBC3meD
> =tusl
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>





More information about the Kerberos mailing list