-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just build trunk and did the same test again. The problem doesn't occur with kinit from trunk
Regards, Mark Luke Howard wrote: > Mark, > > Are you able to test whether this still occurs with trunk? > > regards, > > -- Luke > > On 07/10/2009, at 4:04 PM, Mark Pröhl wrote: > > Hi, > > I noticed a problem with kinit form krb-1.7. In case of a wrong > password, kinit tries up to 8 times to get initial credentials. > This happens if the KDC is an active directory controller: > > # kinit user > Password for [email protected]: <wrong password> > kinit: Looping detected inside krb5_get_in_tkt while getting initial > credentials > > Wireshark shows the following sequence: > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > > This leads to a problem if account lookout policies are enabled. > Users get locked out after entering just one wrong password: > > # kinit user > Password for [email protected]: <wrong password> > kinit: Clients credentials have been revoked while getting initial > credentials > # > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: > NTATUS_ACCOUNT_LOCKED_OUT > > > My active directory is a win2k3-r2. > > My /etc/krb5.conf looks like this: > > [libdefaults] > default_realm = MYDOMAIN.EXAMPLE > [realms] > MYDOMAIN.EXAMPLE = { > kdc = 10.10.10.26 > } > > > Is there an option to prevent kinit from looping? > > Regards, > > Mark Pröhl > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrM5ekACgkQNP9kGj7lDw5u9ACfT2C+9NE6hYra11WTsfJKBKl3 YhgAniCsK+oMrwOxJGxKYwl84qTSfCLN =S3I6 -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
