[30653] in Kerberos
Unexpected return codes from KDC -- krb5-1.6.3
daemon@ATHENA.MIT.EDU (Mike Friedman)
Tue Jan 27 18:55:03 2009
Date: Tue, 27 Jan 2009 15:53:33 -0800 (PST)
From: Mike Friedman <mikef@berkeley.edu>
To: MIT Kerberos Mailing List <kerberos@mit.edu>
In-Reply-To: <ldvr644nekl.fsf@cathode-dark-space.mit.edu>
Message-ID: <alpine.BSF.1.10.0901271531220.81507@brillig.security.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a 'sequel' to my earlier postings about getting bad return codes
from the KDC. However, I've moved from a binary Linux distribution to a
FreeBSD port of MIT Kerberos and my symptoms are a bit different, so I'm
starting a new thread.
My problem is this:
I'm using programs based on the MIT API to do authentication, via
get_in_tkt_with_password (or get_in_tkt_with_keytab), krb5_mk_req,
krb5_rd_req. (This is perl code using the Authen::Krb5 module, which I've
been running for a couple of years on my production 1.4.2 system).
If I have a principal that has any of the following set, then, even if I
supply the correct password, I get back a return code of 31 (decrypt
integrity check), instead of the more specific return code that would
correspond to the specific situation:
CLIENT_NOT_FOUND
CLIENT EXPIRED
REQUIRED PWCHANGE
CLIENT KEY EXPIRED
But if none of the above is true, then my authentication succeeds (RC=0)
if I supply the correct password, and fails with the expected RC=31 if I
enter an invalid password.
This is krb5-1.6.3 on FreeBSD.
In reply to one of my earlier postings, Tom Yu said the following:
> I am unable to reproduce this condition. Is the krb5-1.6.1 KDC possibly
> built using the --with-vague-errors option?
Looking through the (now 1.6.3) build tree, I see no indication that
'--with-vague-errors' is being specified as an override. In
src/configure, it appears to be specified by default, but I think that is
my own misunderstanding of the configure file, because my production KDC
(1.4.2) src/configure looks exactly the same in this regard and I don't
get this behavior there.
My symptoms seem very much consistent with the presumed meaning of
'--with-vague-errors', but I have the problem only on 1.6.3, yet it
appears that neither system is compiled with that option.
Is it possible that 1.6.3 defaults to '--with-vague-errors', unlike 1.4.2?
More specifically, how can I be sure whether that option was specified at
compile time?
Thanks for any suggestions.
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mikef@berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://mikef.berkeley.edu http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkl/nn0ACgkQFgKSfLOvZ1R+MACePCkn5lhhT+ksuV4KQ4NLbqa2
BY4AnAliAZLXvkAEEu+TI0LwgXQD0Vs4
=OPL9
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
