-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a 'sequel' to my earlier postings about getting bad return codes from the KDC. However, I've moved from a binary Linux distribution to a FreeBSD port of MIT Kerberos and my symptoms are a bit different, so I'm starting a new thread.
My problem is this: I'm using programs based on the MIT API to do authentication, via get_in_tkt_with_password (or get_in_tkt_with_keytab), krb5_mk_req, krb5_rd_req. (This is perl code using the Authen::Krb5 module, which I've been running for a couple of years on my production 1.4.2 system). If I have a principal that has any of the following set, then, even if I supply the correct password, I get back a return code of 31 (decrypt integrity check), instead of the more specific return code that would correspond to the specific situation: CLIENT_NOT_FOUND CLIENT EXPIRED REQUIRED PWCHANGE CLIENT KEY EXPIRED But if none of the above is true, then my authentication succeeds (RC=0) if I supply the correct password, and fails with the expected RC=31 if I enter an invalid password. This is krb5-1.6.3 on FreeBSD. In reply to one of my earlier postings, Tom Yu said the following: > I am unable to reproduce this condition. Is the krb5-1.6.1 KDC possibly > built using the --with-vague-errors option? Looking through the (now 1.6.3) build tree, I see no indication that '--with-vague-errors' is being specified as an override. In src/configure, it appears to be specified by default, but I think that is my own misunderstanding of the configure file, because my production KDC (1.4.2) src/configure looks exactly the same in this regard and I don't get this behavior there. My symptoms seem very much consistent with the presumed meaning of '--with-vague-errors', but I have the problem only on 1.6.3, yet it appears that neither system is compiled with that option. Is it possible that 1.6.3 defaults to '--with-vague-errors', unlike 1.4.2? More specifically, how can I be sure whether that option was specified at compile time? Thanks for any suggestions. Mike _________________________________________________________________________ Mike Friedman Information Services & Technology [email protected] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkl/nn0ACgkQFgKSfLOvZ1R+MACePCkn5lhhT+ksuV4KQ4NLbqa2 BY4AnAliAZLXvkAEEu+TI0LwgXQD0Vs4 =OPL9 -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
