OK, it appears this bug was in 1.7 but the fix in trunk that I committed was wrong. But, it will be fixed (somehow) for 1.8.
-- Luke On 07/10/2009, at 9:10 PM, Mark Pröhl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Luke, > > The problem doesn't occur in 1.6 (tested with debian lenny package). > > Regards, > > Mark > Luke Howard wrote: >> Hi Mark, >> >> Yes, I think this was a bug in the referral handling code that I >> fixed >> whilst implementing something else (S4U). >> >> Do you know if it occurred with 1.6 or was a regression with 1.7? >> >> regards, >> >> -- Luke >> >> On 07/10/2009, at 9:03 PM, Mark Pröhl wrote: >> >> I just build trunk and did the same test again. >> The problem doesn't occur with kinit from trunk >> >> Regards, >> >> Mark >> >> Luke Howard wrote: >>>>> Mark, >>>>> >>>>> Are you able to test whether this still occurs with trunk? >>>>> >>>>> regards, >>>>> >>>>> -- Luke >>>>> >>>>> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote: >>>>> >>>>> Hi, >>>>> >>>>> I noticed a problem with kinit form krb-1.7. In case of a wrong >>>>> password, kinit tries up to 8 times to get initial credentials. >>>>> This happens if the KDC is an active directory controller: >>>>> >>>>> # kinit user >>>>> Password for [email protected]: <wrong password> >>>>> kinit: Looping detected inside krb5_get_in_tkt while getting >>>>> initial >>>>> credentials >>>>> >>>>> Wireshark shows the following sequence: >>>>> >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> >>>>> This leads to a problem if account lookout policies are enabled. >>>>> Users get locked out after entering just one wrong password: >>>>> >>>>> # kinit user >>>>> Password for [email protected]: <wrong password> >>>>> kinit: Clients credentials have been revoked while getting initial >>>>> credentials >>>>> # >>>>> >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: >>>>> NTATUS_ACCOUNT_LOCKED_OUT >>>>> >>>>> >>>>> My active directory is a win2k3-r2. >>>>> >>>>> My /etc/krb5.conf looks like this: >>>>> >>>>> [libdefaults] >>>>> default_realm = MYDOMAIN.EXAMPLE >>>>> [realms] >>>>> MYDOMAIN.EXAMPLE = { >>>>> kdc = 10.10.10.26 >>>>> } >>>>> >>>>> >>>>> Is there an option to prevent kinit from looping? >>>>> >>>>> Regards, >>>>> >>>>> Mark Pröhl >>>>> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >>>>>> >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrM55cACgkQNP9kGj7lDw4GpwCgp3mEeh07x28nTT2RBfwUhcNr > HbQAniwBjPS+Sh02bSwiDeNxpTkgMfXr > =tD6k > -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
