suggestion for locating master kdc logic

Russ Allbery rra at
Fri Apr 6 17:11:32 EDT 2012

Greg Hudson <ghudson at MIT.EDU> writes:
> On 04/06/2012 04:09 PM, Russ Allbery wrote:

>> Not only do you lose fallback in this case, but you also don't get
>> password change on expired password, unless you patched the code to not
>> require master_kdc in that case as well.

> My test results with current code don't match this claim.  I do see a
> bug that the kpasswd_server -> admin_server fallback doesn't work for
> kinit password changes, but the presence or absence of master_kdc
> doesn't seem to have any relevance.  (Nor would one expect it to, since
> password changes don't go through a KDC.)

Ah, it looks like it was fixed in 2006:

r18764 | jaltman | 2006-11-06 13:55:13 -0800 (Mon, 06 Nov 2006) | 18 lines

ticket: new
tags: pullup
subject: krb5_get_init_creds_password does not consistently prompt for password changing

        krb5_get_init_creds_password() previously did not consistently
        handle KRB5KDC_ERR_KEY_EXP errors.  If there is a "master_kdc" 
        entry for the realm and the KDC is reachable, then the function 
        will prompt the user for a password change.  Otherwise, it will
        return the error code to the caller.  If the caller is a ticket 
        manager, it will prompt the user for a password change with a
        dialog that is different from the one generated by the prompter
        function passed to krb5_get_init_creds_password.

        With this change krb5_get_init_creds_password() will always 
        prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
        the function is compiled with USE_LOGIN_LIBRARY.  (KFM)

Thanks for pointing me at that.  I'll update my documentation accordingly.

Russ Allbery (rra at             <>

More information about the krbdev mailing list