Hi Mark, Yes, I think this was a bug in the referral handling code that I fixed whilst implementing something else (S4U).
Do you know if it occurred with 1.6 or was a regression with 1.7? regards, -- Luke On 07/10/2009, at 9:03 PM, Mark Pröhl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I just build trunk and did the same test again. > The problem doesn't occur with kinit from trunk > > Regards, > > Mark > > Luke Howard wrote: >> Mark, >> >> Are you able to test whether this still occurs with trunk? >> >> regards, >> >> -- Luke >> >> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote: >> >> Hi, >> >> I noticed a problem with kinit form krb-1.7. In case of a wrong >> password, kinit tries up to 8 times to get initial credentials. >> This happens if the KDC is an active directory controller: >> >> # kinit user >> Password for [email protected]: <wrong password> >> kinit: Looping detected inside krb5_get_in_tkt while getting initial >> credentials >> >> Wireshark shows the following sequence: >> >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> >> This leads to a problem if account lookout policies are enabled. >> Users get locked out after entering just one wrong password: >> >> # kinit user >> Password for [email protected]: <wrong password> >> kinit: Clients credentials have been revoked while getting initial >> credentials >> # >> >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: >> NTATUS_ACCOUNT_LOCKED_OUT >> >> >> My active directory is a win2k3-r2. >> >> My /etc/krb5.conf looks like this: >> >> [libdefaults] >> default_realm = MYDOMAIN.EXAMPLE >> [realms] >> MYDOMAIN.EXAMPLE = { >> kdc = 10.10.10.26 >> } >> >> >> Is there an option to prevent kinit from looping? >> >> Regards, >> >> Mark Pröhl >> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos >>> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrM5ekACgkQNP9kGj7lDw5u9ACfT2C+9NE6hYra11WTsfJKBKl3 > YhgAniCsK+oMrwOxJGxKYwl84qTSfCLN > =S3I6 > -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
