How to Debug EINVAL from get_init_creds_password

Henry B. Hotz hotz at
Tue Sep 19 20:43:23 EDT 2006

I've got a program that nicely creates keytab files when built with  
1.4.x and 1.5 on OSX and Solaris.

With 1.3.? on OSX 10.3.9, however the krb5_get_init_creds_password()  
call returns 22 (== EINVAL).  Certainly not a Kerberos error code.  I  
will probably need this to work with 1.2.x on some Linux  
distributions as well.  The most relevant code fragment follows.

> /* Error handling wrapper for Kerberos library routines. */
> #define K5(f, m) if((ret=(f))){\
>                         com_err("jplis_keytab", ret, (m));\
>                         restore_die();\
>                 }
. . . .
>         /* check password and get ticket */
>         memset (&kinit_opts, 0, sizeof(kinit_opts));
>         krb5_get_init_creds_opt_init(&kinit_opts);
>         krb5_get_init_creds_opt_set_etype_list(&kinit_opts, &etype,  
> 1);
>         K5(krb5_get_init_creds_password(context, &creds, principal,
>                 password, NULL, NULL, 0, username, &kinit_opts),
>                 "-- probably a bad password");

context is the usual thing
creds isn't initialized
principal was unparsed into username and printed fine
It doesn't matter if password is correct or not.  gdb shows a correct  
string in any case.

A typical run looks like this (on OSX 10.3.9):
> $ ./jplis_keytab -keytab temp -user hotz -realm JPL.NASA.GOV
> Making keytab file for hotz at JPL.NASA.GOV
> Enter keytab password:
> jplis_keytab: Invalid argument -- probably a bad password
> $

<<No, it's not a mistake that I'm asking for the user's own ticket  
instead of a tgt.  That's a cheap way to get the kvno of the user's  
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list