-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 Jan 2009 at 17:09 (-0500), Tom Yu wrote:
> Mike Friedman <[email protected]> writes: > >> CLIENT KEY EXPIRED: [email protected] for >> krbtgt/[email protected], Password has expired >> >> As I said in my later note, it's not just my API code that's reflecting >> the wrong return code. Even kinit tells me 'Password incorrect while >> getting initial credentials', though I did enter the correct password. >> And (as I also mentioned, for what it might be worth), the KDC is not >> even doing the REQUIRES_PREAUTH exchange in these cases. > > Are you getting a "password incorrect" error from kinit when the KDC > logs the "CLIENT KEY EXPIRED" message above? If you are getting the > incorrect error code out of kinit as well, I was unable to reproduce > that. Tom, Yes, when the KDC says 'CLIENT KEY EXPIRED', kinit says 'Password incorrect'. > Which release are you getting the kinit program from? And which release > are you using for the library for the program you wrote? What does > "getprinc" show for the principal when you have set it up to produce > this failure condition? Previously, I was using a 1.4.2 kinit remotely. But I just tried 1.6.3 kinit on the same 1.6.3 KDC itself and also got a 'Password incorrect' message. Also, as for my API program, I actually tried with a version that was built with 1.4.2 and one built with an older MIT version. But the fact that kinit seems to be acting the same way would appear to be the significant point. Here's what getprinc shows: kadmin.local: getprinc mikef Principal: [email protected] Expiration date: [never] Last password change: Tue Jan 27 14:41:56 PST 2009 Password expiration date: Wed Jan 28 11:00:16 PST 2009 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jan 29 11:00:16 PST 2009 (root/[email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] _________________________________________________________________________ Mike Friedman Information Services & Technology [email protected] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkmCLHcACgkQFgKSfLOvZ1T+4wCfX4zvBA0GZVx23A4GqtU5vVRZ OFQAoIEEAoAHs/z32QH76PtkkdaGnUtq =n1uq -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
