-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Luke,
The problem doesn't occur in 1.6 (tested with debian lenny package). Regards, Mark Luke Howard wrote: > Hi Mark, > > Yes, I think this was a bug in the referral handling code that I fixed > whilst implementing something else (S4U). > > Do you know if it occurred with 1.6 or was a regression with 1.7? > > regards, > > -- Luke > > On 07/10/2009, at 9:03 PM, Mark Pröhl wrote: > > I just build trunk and did the same test again. > The problem doesn't occur with kinit from trunk > > Regards, > > Mark > > Luke Howard wrote: >>>> Mark, >>>> >>>> Are you able to test whether this still occurs with trunk? >>>> >>>> regards, >>>> >>>> -- Luke >>>> >>>> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote: >>>> >>>> Hi, >>>> >>>> I noticed a problem with kinit form krb-1.7. In case of a wrong >>>> password, kinit tries up to 8 times to get initial credentials. >>>> This happens if the KDC is an active directory controller: >>>> >>>> # kinit user >>>> Password for [email protected]: <wrong password> >>>> kinit: Looping detected inside krb5_get_in_tkt while getting initial >>>> credentials >>>> >>>> Wireshark shows the following sequence: >>>> >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> >>>> This leads to a problem if account lookout policies are enabled. >>>> Users get locked out after entering just one wrong password: >>>> >>>> # kinit user >>>> Password for [email protected]: <wrong password> >>>> kinit: Clients credentials have been revoked while getting initial >>>> credentials >>>> # >>>> >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: >>>> NTATUS_ACCOUNT_LOCKED_OUT >>>> >>>> >>>> My active directory is a win2k3-r2. >>>> >>>> My /etc/krb5.conf looks like this: >>>> >>>> [libdefaults] >>>> default_realm = MYDOMAIN.EXAMPLE >>>> [realms] >>>> MYDOMAIN.EXAMPLE = { >>>> kdc = 10.10.10.26 >>>> } >>>> >>>> >>>> Is there an option to prevent kinit from looping? >>>> >>>> Regards, >>>> >>>> Mark Pröhl >>>> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrM55cACgkQNP9kGj7lDw4GpwCgp3mEeh07x28nTT2RBfwUhcNr HbQAniwBjPS+Sh02bSwiDeNxpTkgMfXr =tD6k -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
