[krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP

[The RT System itself via RT]

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Wed Mar 18 18:26:57 2009
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id D3E3ECCC84;
	Wed, 18 Mar 2009 18:26:57 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IIQvMw011599;
	Wed, 18 Mar 2009 14:26:57 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IG9YeF021478
	for <krb5-bugs-incoming at PCH.mit.edu>; Wed, 18 Mar 2009 12:09:34 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
	by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	n2IG9Q2p023353
	for <krb5-bugs at mit.edu>; Wed, 18 Mar 2009 12:09:27 -0400 (EDT)
Received: from f04n07.cac.psu.edu (localhost [127.0.0.1])
	by mit.edu (Spam Firewall) with ESMTP id 0568715DD970
	for <krb5-bugs at mit.edu>; Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
Received: from f04n07.cac.psu.edu (f04s07.cac.psu.edu [128.118.141.35]) by
	mit.edu with ESMTP id TKHdns2yIPlCwa86 for <krb5-bugs at mit.edu>;
	Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
X-Barracuda-Reputation: Registry
Received: from smallbus.aset.psu.edu (smallbus.aset.psu.edu [128.118.57.250])
	by f04n07.cac.psu.edu (8.13.2/8.13.2) with ESMTP id n2IG9Bu3045952
	for <krb5-bugs at mit.edu>; Wed, 18 Mar 2009 12:09:12 -0400
Received: (from pgp at localhost)
	by smallbus.aset.psu.edu (AIX5.3/8.13.4/8.11.0) id n2IG7gwA017670;
	Wed, 18 Mar 2009 12:07:42 -0400
Date: Wed, 18 Mar 2009 12:07:42 -0400
Message-Id: <200903181607.n2IG7gwA017670 at smallbus.aset.psu.edu>
To: krb5-bugs at mit.edu
Subject: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
From: pgp at psu.edu
X-send-pr-version: 3.99
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 18 Mar 2009 14:26:56 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: pgp at psu.edu
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Phil Pishioneri
>Organization: Penn State University, ITS

>Confidential:	no
>Synopsis:	KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
>Severity:	non-critical
>Priority:	medium
>Category:	krb5-kdc
>Class:		sw-bug
>Release:	krb5-current
>Environment:
	
System: AIX smallbus 3 5 000F48BD4C00


>Description:
	In kdc/kdc_util.c, there are two checks for password (key)
	expiration and account expiration. In each case, the code (and
	error return) for key expiration is done before the check for
	account expiration. However, it seems that account expiration
	is more significant than key expiration, and should be checked
	for, and returned first.

>How-To-Repeat:
	Create an account, expire both the password and account.
	Attempt to "kinit" to the account: KDC_ERR_KEY_EXP ("CLIENT KEY
	EXPIRED") will be returned instead of KDC_ERR_NAME_EXP 
	("CLIENT EXPIRED").

>Fix:
	In the two areas of code (search for "KDC_ERR_NAME_EXP" to find
	them), move the check for KDC_ERR_NAME_EXP to be before the
	check for KDC_ERR_KEY_EXP.  A diff can be provided if that would
	help to clarify the change.