[30666] in Kerberos
Re: Unexpected return codes from KDC -- krb5-1.6.3
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Jan 29 17:10:26 2009
To: Mike Friedman <mikef@berkeley.edu>
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 29 Jan 2009 17:09:34 -0500
In-Reply-To: <alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
(Mike Friedman's message of "Thu,
29 Jan 2009 13:43:06 -0800 (PST)")
Message-ID: <ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: MIT Kerberos Mailing List <kerberos@MIT.EDU>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
Mike Friedman <mikef@berkeley.edu> writes:
>> What error shows up in the KDC logs during those failure conditions?
>
> One example is this:
>
> CLIENT KEY EXPIRED: mikef@BERKELEY.EDU for krbtgt/BERKELEY.EDU@BERKELEY.EDU, Password has expired
>
> As I said in my later note, it's not just my API code that's reflecting
> the wrong return code. Even kinit tells me 'Password incorrect while
> getting initial credentials', though I did enter the correct password.
> And (as I also mentioned, for what it might be worth), the KDC is not even
> doing the REQUIRES_PREAUTH exchange in these cases.
Are you getting a "password incorrect" error from kinit when the KDC
logs the "CLIENT KEY EXPIRED" message above? If you are getting the
incorrect error code out of kinit as well, I was unable to reproduce
that.
Which release are you getting the kinit program from? And which
release are you using for the library for the program you wrote? What
does "getprinc" show for the principal when you have set it up to
produce this failure condition?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
