-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 19 Dec 2008 at 14:35 (-0500), Tom Yu wrote:
> Mike Friedman <[email protected]> writes: > >> I've been doing some testing of my programs that use the MIT API >> against a KDC running 1.6.1 on a Linux system. On all prior systems >> where I've run a KDC, and according to the Kerberos docs, a principal >> expired condition should set a return code of 1. But on this test >> system, it seems I'm getting back a 60, which the docs define as a >> 'generic error'. > > I am unable to reproduce this condition. Is the krb5-1.6.1 KDC possibly > built using the --with-vague-errors option? Tom, Sorry for the delayed reply; I was on vacation for 3 weeks during the holiday period. I just ran a simple test, with my perl program that uses the MIT API for authentication. The results are very simple: 1. If the principal has not expired, authentication succeeds. 2. If the principal has expired, I get this error message from the KDC, specifically when I'm doing a krb5_mk_req: Generic error (see e-text) and a return code of 60. In the KDC log, for a failure, I see the following: In response to the AS_REQ: CLIENT EXPIRED: [email protected] for krbtgt/[email protected], Client's entry in database has expired From the krb5_mk_req attempt: PROCESS_TGS: authtime 0, <unknown client> for krbproxy/[email protected], No matching key in entry Yet, if the principal is not expired, I get this: In response to the AS_REQ: ISSUE: authtime 1231806450, etypes {rep=1 tkt=18 ses=1}, [email protected] for krbtgt/[email protected] Followed by, ISSUE: authtime 1231806450, etypes {rep=1 tkt=18 ses=1}, [email protected] for krbproxy/[email protected] i.e., success, which seems to imply that my service keytab is set up OK. Unfortunately, this KDC was installed using a RedHat Linux pre-compiled RPM binary of MIT krb5-1.6.1, by someone other than me, so I can't answer your question about the '--with-vague-errors' option (which I had never heard of). Any ideas? Mike _________________________________________________________________________ Mike Friedman Information Services & Technology [email protected] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAklr4p0ACgkQFgKSfLOvZ1Qf+QCdGwedutT07DtCAj8L5j8XCh/Y ptMAn2o3L2IukGvda9m+hgHgzjn6YJ7/ =4yFG -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
