[31544] in Kerberos

home help back first fref pref prev next nref lref last post

kinit-1.7: wrong passwords lock active directory accounts

daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Wed Oct 7 11:53:39 2009

Message-ID: <4ACCA005.9050605@mproehl.net>
Date: Wed, 07 Oct 2009 16:04:53 +0200
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I noticed a problem with kinit form krb-1.7.  In case of a wrong
password, kinit tries up to 8 times to get initial credentials.
This happens if the KDC is an active directory controller:

# kinit user
Password for user@MYDOMAIN.EXAMPLE:  <wrong password>
kinit: Looping detected inside krb5_get_in_tkt while getting initial
credentials

Wireshark shows the following sequence:

   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED

This leads to a problem if account lookout policies are enabled.
Users get locked out after entering just one wrong password:

# kinit user
Password for user@MYDOMAIN.EXAMPLE: <wrong password>
kinit: Clients credentials have been revoked while getting initial
credentials
#

   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
   AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
NTATUS_ACCOUNT_LOCKED_OUT


My active directory is a win2k3-r2.

My /etc/krb5.conf looks like this:

   [libdefaults]
        default_realm = MYDOMAIN.EXAMPLE
   [realms]
        MYDOMAIN.EXAMPLE  = {
           kdc = 10.10.10.26
        }


Is there an option to prevent kinit from looping?

Regards,

Mark Pröhl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J
nngAnie9sNg/bimKdKYmKTDWLuBC3meD
=tusl
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home help back first fref pref prev next nref lref last post