On Thu, 2011-09-01 at 19:11 -0400, Russ Allbery wrote: > Okay, this is indeed all being handled internally by the Kerberos library. > Maybe one of the MIT Kerberos folks can comment about how errors are > reported through the Kerberos prompter facility.
If a password change fails with a "soft error", the prompter is invoked up to two more times with the banner changed to include the error string from the server. However, a bug was introduced in krb5 1.7 which caused kadmind to return a "hard error" for password quality failures. The client code handles a hard error by returning from krb5_get_init_creds_password() immediately with a not-very-descriptive error code. This kadmind bug was fixed in krb5 1.9.1. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
