[30665] in Kerberos
Re: Unexpected return codes from KDC -- krb5-1.6.3
daemon@ATHENA.MIT.EDU (Mike Friedman)
Thu Jan 29 16:44:31 2009
Date: Thu, 29 Jan 2009 13:43:06 -0800 (PST)
From: Mike Friedman <mikef@berkeley.edu>
To: Tom Yu <tlyu@mit.edu>
In-Reply-To: <ldvfxj1u7qn.fsf@cathode-dark-space.mit.edu>
Message-ID: <alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
MIME-Version: 1.0
Cc: MIT Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 29 Jan 2009 at 16:23 (-0500), Tom Yu wrote:
> The get_in_tkt APIs are deprecated in favor of the get_init_creds APIs.
> I know that this fact is probably not well-documented.
Tom,
Yes, I've been aware of this for some time. Unfortunately, my code is
several years old and I've not had a chance to upgrade it.
Anyway, by now you've probably seen my subsequent note that, I hope, helps
clarify the actual situation with return codes.
>> If I have a principal that has any of the following set, then, even if
>> I supply the correct password, I get back a return code of 31 (decrypt
>> integrity check), instead of the more specific return code that would
>> correspond to the specific situation:
>>
>> CLIENT_NOT_FOUND
>> CLIENT EXPIRED
>> REQUIRED PWCHANGE
>> CLIENT KEY EXPIRED
>>
>> But if none of the above is true, then my authentication succeeds
>> (RC=0) if I supply the correct password, and fails with the expected
>> RC=31 if I enter an invalid password.
>
> What error shows up in the KDC logs during those failure conditions?
One example is this:
CLIENT KEY EXPIRED: mikef@BERKELEY.EDU for krbtgt/BERKELEY.EDU@BERKELEY.EDU, Password has expired
As I said in my later note, it's not just my API code that's reflecting
the wrong return code. Even kinit tells me 'Password incorrect while
getting initial credentials', though I did enter the correct password.
And (as I also mentioned, for what it might be worth), the KDC is not even
doing the REQUIRES_PREAUTH exchange in these cases.
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mikef@berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://mikef.berkeley.edu http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkmCIuoACgkQFgKSfLOvZ1Rk+wCfRLoafDZwTlYOtEi4UKm45CZq
FDwAn1azP4Faaf78r8zKOQM0PVlWdB6r
=SWgA
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
