Mark, Are you able to test whether this still occurs with trunk?
regards, -- Luke On 07/10/2009, at 4:04 PM, Mark Pröhl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I noticed a problem with kinit form krb-1.7. In case of a wrong > password, kinit tries up to 8 times to get initial credentials. > This happens if the KDC is an active directory controller: > > # kinit user > Password for [email protected]: <wrong password> > kinit: Looping detected inside krb5_get_in_tkt while getting initial > credentials > > Wireshark shows the following sequence: > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > > This leads to a problem if account lookout policies are enabled. > Users get locked out after entering just one wrong password: > > # kinit user > Password for [email protected]: <wrong password> > kinit: Clients credentials have been revoked while getting initial > credentials > # > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: > NTATUS_ACCOUNT_LOCKED_OUT > > > My active directory is a win2k3-r2. > > My /etc/krb5.conf looks like this: > > [libdefaults] > default_realm = MYDOMAIN.EXAMPLE > [realms] > MYDOMAIN.EXAMPLE = { > kdc = 10.10.10.26 > } > > > Is there an option to prevent kinit from looping? > > Regards, > > Mark Pröhl > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J > nngAnie9sNg/bimKdKYmKTDWLuBC3meD > =tusl > -----END PGP SIGNATURE----- > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
