kinit-1.7: wrong passwords lock active directory accounts

Luke Howard lhoward at MIT.EDU
Wed Oct 7 15:05:50 EDT 2009


Hi Mark,

Yes, I think this was a bug in the referral handling code that I fixed  
whilst implementing something else (S4U).

Do you know if it occurred with 1.6 or was a regression with 1.7?

regards,

-- Luke

On 07/10/2009, at 9:03 PM, Mark Pröhl wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just build trunk and did the same test again.
> The problem doesn't occur with kinit from trunk
>
> Regards,
>
> Mark
>
> Luke Howard wrote:
>> Mark,
>>
>> Are you able to test whether this still occurs with trunk?
>>
>> regards,
>>
>> -- Luke
>>
>> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote:
>>
>> Hi,
>>
>> I noticed a problem with kinit form krb-1.7.  In case of a wrong
>> password, kinit tries up to 8 times to get initial credentials.
>> This happens if the KDC is an active directory controller:
>>
>> # kinit user
>> Password for user at MYDOMAIN.EXAMPLE:  <wrong password>
>> kinit: Looping detected inside krb5_get_in_tkt while getting initial
>> credentials
>>
>> Wireshark shows the following sequence:
>>
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>
>> This leads to a problem if account lookout policies are enabled.
>> Users get locked out after entering just one wrong password:
>>
>> # kinit user
>> Password for user at MYDOMAIN.EXAMPLE: <wrong password>
>> kinit: Clients credentials have been revoked while getting initial
>> credentials
>> #
>>
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>  AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
>> NTATUS_ACCOUNT_LOCKED_OUT
>>
>>
>> My active directory is a win2k3-r2.
>>
>> My /etc/krb5.conf looks like this:
>>
>>  [libdefaults]
>>       default_realm = MYDOMAIN.EXAMPLE
>>  [realms]
>>       MYDOMAIN.EXAMPLE  = {
>>          kdc = 10.10.10.26
>>       }
>>
>>
>> Is there an option to prevent kinit from looping?
>>
>> Regards,
>>
>> Mark Pröhl
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkrM5ekACgkQNP9kGj7lDw5u9ACfT2C+9NE6hYra11WTsfJKBKl3
> YhgAniCsK+oMrwOxJGxKYwl84qTSfCLN
> =S3I6
> -----END PGP SIGNATURE-----





More information about the Kerberos mailing list