-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I noticed a problem with kinit form krb-1.7. In case of a wrong password, kinit tries up to 8 times to get initial credentials. This happens if the KDC is an active directory controller: # kinit user Password for [email protected]: <wrong password> kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials Wireshark shows the following sequence: AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED This leads to a problem if account lookout policies are enabled. Users get locked out after entering just one wrong password: # kinit user Password for [email protected]: <wrong password> kinit: Clients credentials have been revoked while getting initial credentials # AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: NTATUS_ACCOUNT_LOCKED_OUT My active directory is a win2k3-r2. My /etc/krb5.conf looks like this: [libdefaults] default_realm = MYDOMAIN.EXAMPLE [realms] MYDOMAIN.EXAMPLE = { kdc = 10.10.10.26 } Is there an option to prevent kinit from looping? Regards, Mark Pröhl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J nngAnie9sNg/bimKdKYmKTDWLuBC3meD =tusl -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
