kinit-1.7: wrong passwords lock active directory accounts

Luke Howard lhoward at MIT.EDU
Wed Oct 7 15:40:13 EDT 2009


OK, it appears this bug was in 1.7 but the fix in trunk that I  
committed was wrong. But, it will be fixed (somehow) for 1.8.

-- Luke

On 07/10/2009, at 9:10 PM, Mark Pröhl wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Luke,
>
> The problem doesn't occur in 1.6 (tested with debian lenny package).
>
> Regards,
>
> Mark
> Luke Howard wrote:
>> Hi Mark,
>>
>> Yes, I think this was a bug in the referral handling code that I  
>> fixed
>> whilst implementing something else (S4U).
>>
>> Do you know if it occurred with 1.6 or was a regression with 1.7?
>>
>> regards,
>>
>> -- Luke
>>
>> On 07/10/2009, at 9:03 PM, Mark Pröhl wrote:
>>
>> I just build trunk and did the same test again.
>> The problem doesn't occur with kinit from trunk
>>
>> Regards,
>>
>> Mark
>>
>> Luke Howard wrote:
>>>>> Mark,
>>>>>
>>>>> Are you able to test whether this still occurs with trunk?
>>>>>
>>>>> regards,
>>>>>
>>>>> -- Luke
>>>>>
>>>>> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I noticed a problem with kinit form krb-1.7.  In case of a wrong
>>>>> password, kinit tries up to 8 times to get initial credentials.
>>>>> This happens if the KDC is an active directory controller:
>>>>>
>>>>> # kinit user
>>>>> Password for user at MYDOMAIN.EXAMPLE:  <wrong password>
>>>>> kinit: Looping detected inside krb5_get_in_tkt while getting  
>>>>> initial
>>>>> credentials
>>>>>
>>>>> Wireshark shows the following sequence:
>>>>>
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>>
>>>>> This leads to a problem if account lookout policies are enabled.
>>>>> Users get locked out after entering just one wrong password:
>>>>>
>>>>> # kinit user
>>>>> Password for user at MYDOMAIN.EXAMPLE: <wrong password>
>>>>> kinit: Clients credentials have been revoked while getting initial
>>>>> credentials
>>>>> #
>>>>>
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
>>>>> NTATUS_ACCOUNT_LOCKED_OUT
>>>>>
>>>>>
>>>>> My active directory is a win2k3-r2.
>>>>>
>>>>> My /etc/krb5.conf looks like this:
>>>>>
>>>>> [libdefaults]
>>>>>      default_realm = MYDOMAIN.EXAMPLE
>>>>> [realms]
>>>>>      MYDOMAIN.EXAMPLE  = {
>>>>>         kdc = 10.10.10.26
>>>>>      }
>>>>>
>>>>>
>>>>> Is there an option to prevent kinit from looping?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Mark Pröhl
>>>>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkrM55cACgkQNP9kGj7lDw4GpwCgp3mEeh07x28nTT2RBfwUhcNr
> HbQAniwBjPS+Sh02bSwiDeNxpTkgMfXr
> =tD6k
> -----END PGP SIGNATURE-----





More information about the Kerberos mailing list