[krbdev.mit.edu #8537] Preauthentication should continue after failure
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Jan 13 12:15:45 EST 2017
Upon receiving a KDC_ERR_PREAUTH_REQUIRED error, the client consults the
module for each padata type in the METHOD-DATA until one succeeds.
After that point, pre-authentication could fail on the KDC side with a
KDC_ERR_PREAUTH_FAILED error, or on the client side after a
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error. In either of those cases, we
should go back to processing the original METHOD-DATA list (or the one
in the KDC_ERR_PREAUTH_FAILED message if one was supplied), skipping the
failed mechanism.
(We also do not continue after failure resulting from optimistic
preauth, unless it happens immediately on the client side. That problem
is out of scope for this ticket.)
More information about the krb5-bugs
mailing list