[krbdev.mit.edu #7119] Preauth fails for second AS request in a krb5 context
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Apr 25 13:19:38 EDT 2012
The client preauth subsystem tries to avoid invoking the same loadable
preauth module twice during an AS request. The use_count field used for
this purpose is initialized in krb5_init_preauth_context, which is
invoked only once per library context. The use_count field is reset if
we receive a final AS reply, but not if we fail before that point.
This problem has existed since 1.6, but became much more visible in 1.10
when encrypted timestamp was moved to the modules table. For example,
when krb5_get_init_context_password tries to change an expired password,
it will fail if the principal requires preauth.
More information about the krb5-bugs
mailing list