[31544] in Kerberos
kinit-1.7: wrong passwords lock active directory accounts
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Wed Oct 7 11:53:39 2009
Message-ID: <4ACCA005.9050605@mproehl.net>
Date: Wed, 07 Oct 2009 16:04:53 +0200
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I noticed a problem with kinit form krb-1.7. In case of a wrong
password, kinit tries up to 8 times to get initial credentials.
This happens if the KDC is an active directory controller:
# kinit user
Password for user@MYDOMAIN.EXAMPLE: <wrong password>
kinit: Looping detected inside krb5_get_in_tkt while getting initial
credentials
Wireshark shows the following sequence:
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
This leads to a problem if account lookout policies are enabled.
Users get locked out after entering just one wrong password:
# kinit user
Password for user@MYDOMAIN.EXAMPLE: <wrong password>
kinit: Clients credentials have been revoked while getting initial
credentials
#
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
NTATUS_ACCOUNT_LOCKED_OUT
My active directory is a win2k3-r2.
My /etc/krb5.conf looks like this:
[libdefaults]
default_realm = MYDOMAIN.EXAMPLE
[realms]
MYDOMAIN.EXAMPLE = {
kdc = 10.10.10.26
}
Is there an option to prevent kinit from looping?
Regards,
Mark Pröhl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J
nngAnie9sNg/bimKdKYmKTDWLuBC3meD
=tusl
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
