[krbdev.mit.edu #3142] kinit fails when password-change required attribute is set

Public Submitter via RT rt-comment at krbdev.mit.edu
Mon Aug 8 09:54:46 EDT 2005 

When kinit is used to obtain an initial ticket, if the passwd change
required attribute is set (pwchg attribute in case of HP-UX kerberos
servers) for the principal, kinit fails with 'Realm unknown' error
instead of asking for a new password.
I have attached the fix below.

Source files changed:
/vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c


Source file changed

***************
*** /vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c
--- /vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c.fix
*** 131,143 ****
     if (ret == 0)
        goto cleanup;
   
     /* If all the kdc's are unavailable, or if the error was due to a
        user interrupt, or preauth errored out, fail */
   
     if ((ret == KRB5_KDC_UNREACH) ||
         (ret == KRB5_PREAUTH_FAILED) ||
!        (ret == KRB5_LIBOS_PWDINTR) ||
!          (ret == KRB5_REALM_CANT_RESOLVE))
        goto cleanup;
   
     /* if the reply did not come from the master kdc, try again with
--- 131,147 ----
     if (ret == 0)
        goto cleanup;
   
+    /* If it's passwd change */
+    if (ret == KRB5KDC_ERR_KEY_EXP)
+       goto passwd_chg;
+
     /* If all the kdc's are unavailable, or if the error was due to a
        user interrupt, or preauth errored out, fail */
   
     if ((ret == KRB5_KDC_UNREACH) ||
         (ret == KRB5_PREAUTH_FAILED) ||
!        (ret == KRB5_LIBOS_PWDINTR) /*||
!          (ret == KRB5_REALM_CANT_RESOLVE)*/)
        goto cleanup;
   
     /* if the reply did not come from the master kdc, try again with
***************
*** 163,174 ****
        /* if the master is unreachable, return the error from the
         slave we were able to contact */
   
        if ((ret2 == KRB5_KDC_UNREACH) ||
          (ret2 == KRB5_REALM_CANT_RESOLVE) ||
!         (ret2 == KRB5_REALM_UNKNOWN))
!        goto cleanup;
   
-       ret = ret2;
     }
   
  #ifdef USE_LOGIN_LIBRARY
--- 167,180 ----
        /* if the master is unreachable, return the error from the
         slave we were able to contact */
   
+       ret = ret2;
+
        if ((ret2 == KRB5_KDC_UNREACH) ||
          (ret2 == KRB5_REALM_CANT_RESOLVE) ||
!         (ret2 == KRB5_REALM_UNKNOWN)) {
!             goto cleanup;
!       }
   
     }
   
  #ifdef USE_LOGIN_LIBRARY
***************
*** 179,185 ****
     /* at this point, we have an error from the master.  if the error
        is not password expired, or if it is but there's no prompter,
        return this error */
!
     if ((ret != KRB5KDC_ERR_KEY_EXP) ||
         (prompter == NULL))
        goto cleanup;
--- 185,191 ----
     /* at this point, we have an error from the master.  if the error
        is not password expired, or if it is but there's no prompter,
        return this error */
! passwd_chg:
     if ((ret != KRB5KDC_ERR_KEY_EXP) ||
         (prompter == NULL))
        goto cleanup;

More information about the krb5-bugs mailing list