Mike Friedman <[email protected]> writes: >> What error shows up in the KDC logs during those failure conditions? > > One example is this: > > CLIENT KEY EXPIRED: [email protected] for > krbtgt/[email protected], Password has expired > > As I said in my later note, it's not just my API code that's reflecting > the wrong return code. Even kinit tells me 'Password incorrect while > getting initial credentials', though I did enter the correct password. > And (as I also mentioned, for what it might be worth), the KDC is not even > doing the REQUIRES_PREAUTH exchange in these cases.
Are you getting a "password incorrect" error from kinit when the KDC logs the "CLIENT KEY EXPIRED" message above? If you are getting the incorrect error code out of kinit as well, I was unable to reproduce that. Which release are you getting the kinit program from? And which release are you using for the library for the program you wrote? What does "getprinc" show for the principal when you have set it up to produce this failure condition? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
