Changing password through Kerberos/ Kerberos Error codes

Greg Hudson ghudson at MIT.EDU
Mon Apr 8 11:59:13 EDT 2013

On 04/08/2013 09:38 AM, Arpit Srivastava wrote:
> 1. Before prompting the user to change the password, I want to check
> whether the password is about to expire or not. My server is Windows AD and
> I have set the password lifetime to be 2 days (which is less than 7 day as
> per Windows standard for sending the password expiry notification).
> For that, I have registered a callback in krb5_get_init_creds_password but
> what is happening is callback api is being called again and again. And TGT
> is fetched in the background. What could be the reason for this ? Moreover,
> no message/banner is coming in prompt callback function which is unexpected.

I assume you're talking about
krb5_get_init_creds_opt_set_expire_callback.  This callback exists to
allow applications to control when and how password expiry warnings are
displayed to the user, so it's intentional (and documented) that setting
an expire callback suppresses the prompter invocations.

The callback is invoked exactly once at the end of each successful
krb5_get_init_creds_password call, whether or not the password is going
to expire soon.

Our library never spawns threads, so I'm not sure what you mean by "TGT
is fetched in the background."

> 2. I made the password to expire on my Windows account. and now checking
> the krb5 error code returned by krb5_get_init_creds_password. Ideally, it
> should come out to be KRB5KDC_ERR_KEY_EXP  butwhat I am getting is
> KRB5KDC_ERR_NEVER_VALID . What could be the reason for this behavior.

We don't generate that error ourselves, so it seems likely that the AD
KDC is returning a KRB-ERROR with error-code 11 (KDC_ERR_NEVER_VALID)
and we're translating that to KRB5KDC_ERR_NEVER_VALID.

More information about the krbdev mailing list