How to Debug EINVAL from get_init_creds_password
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Sep 19 20:43:23 EDT 2006
I've got a program that nicely creates keytab files when built with
1.4.x and 1.5 on OSX and Solaris.
With 1.3.? on OSX 10.3.9, however the krb5_get_init_creds_password()
call returns 22 (== EINVAL). Certainly not a Kerberos error code. I
will probably need this to work with 1.2.x on some Linux
distributions as well. The most relevant code fragment follows.
> /* Error handling wrapper for Kerberos library routines. */
> #define K5(f, m) if((ret=(f))){\
> com_err("jplis_keytab", ret, (m));\
> restore_die();\
> }
. . . .
> /* check password and get ticket */
> memset (&kinit_opts, 0, sizeof(kinit_opts));
> krb5_get_init_creds_opt_init(&kinit_opts);
> krb5_get_init_creds_opt_set_etype_list(&kinit_opts, &etype,
> 1);
>
> K5(krb5_get_init_creds_password(context, &creds, principal,
> password, NULL, NULL, 0, username, &kinit_opts),
> "-- probably a bad password");
context is the usual thing
creds isn't initialized
principal was unparsed into username and printed fine
It doesn't matter if password is correct or not. gdb shows a correct
string in any case.
A typical run looks like this (on OSX 10.3.9):
> $ ./jplis_keytab -keytab temp -user hotz -realm JPL.NASA.GOV
> Making keytab file for hotz at JPL.NASA.GOV
> Enter keytab password:
> jplis_keytab: Invalid argument -- probably a bad password
> $
<<No, it's not a mistake that I'm asking for the user's own ticket
instead of a tgt. That's a cheap way to get the kvno of the user's
principal.>>
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list