The following patch is not the eventual fix, but should effectively
prevent looping. Basically, it will cause kinit to stop after a
KDC_ERR_PREAUTH_FAILED error, instead of attempting to try other
preauth mechanisms.
Index: get_in_tkt.c
===================================================================
--- get_in_tkt.c (revision 22396)
+++ get_in_tkt.c (working copy)
@@ -1331,8 +1331,7 @@
&out_padata, &retry);
if (ret !=0)
goto cleanup;
- if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error
== KDC_ERR_PREAUTH_FAILED)
-&& retry) {
+ if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) {
/* reset the list of preauth types to try */
if (preauth_to_use) {
krb5_free_pa_data(context, preauth_to_use);
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
