communications with KDC in calling krb5_get_init_creds_password()
Bin Lu
blu at paloaltonetworks.com
Wed Jun 25 15:05:19 EDT 2014
Hi,
In calling this above lib function, I noticed that it talks to the KDC 3 times, in the for loop of function init_creds_get() in get_in_tkt.c file. The first 2 times are in udp and the last time is in tcp due to the 2nd krb5_init_creds_step() returns KRB5KRB_ERR_RESPONSE_TOO_BIG.
Questions:
1. Why the API needs to talk to KDC twice in order to validate the password? As I understand all it needs is to check if it can decrypt the TGS session key returned in the 1st response.
2. What data it receives from KDC would cause response TOO BIG in this API, the credential?
Thanks,
-binlu
More information about the krbdev
mailing list