question about krb5_verify_init_creds() and verify_ap_req_nofail

Will Fiveash will.fiveash at
Tue Jan 11 17:30:15 EST 2011

On Tue, Jan 11, 2011 at 04:20:45PM -0500, Sam Hartman wrote:
> Really?
> I't expect krb5_kt_default() to succeed if the keytab does not exist.

My bad, you are correct that krb5_kt_default() will succeed without a
keytab existing.

Still, why try checking the keytab if verify_ap_req_nofail is set to false?  

Here is the code I'm looking at:

    if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) {
        /* this means there is no keying material.  This is ok, as long as
           it is not prohibited by the configuration */

        int nofail;

        if (options &&
            (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) {
            if (options->ap_req_nofail)
                goto cleanup;
        } else if (krb5int_libdefault_boolean(context,
                                              &nofail) == 0) {
            if (nofail)
                goto cleanup;

        ret = 0;
        goto cleanup;

If krb5_kt_get_entry() fails for whatever reason and if the
verify_ap_req_nofail is set to false in krb5.conf then the call to
krb5int_libdefault_boolean() will result in setting nofail to 0.  If
that is the case then ret will be set to 0 and the code will goto
cleanup and then return 0.  However, if there is a service princ key in
the keytab whether it is still current/valid or not then
verify_ap_req_nofail is essentially ignored and the ap_req will try to
be verified.  If the service princ's key in the keytab is not valid then
krb5_verify_init_creds() will always fail.  Is that behavior

(Note, an older Solaris variant of krb5_verify_init_creds() differed from
this logic in that if verify_ap_req_nofail is false then the keytab was

Will Fiveash
Sent using mutt, a sweet, text based e-mail app <>

More information about the krbdev mailing list