[31546] in Kerberos
Re: kinit-1.7: wrong passwords lock active directory accounts
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Wed Oct 7 18:20:20 2009
Message-ID: <4ACCE5E9.501@mproehl.net>
Date: Wed, 07 Oct 2009 21:03:05 +0200
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: Luke Howard <lhoward@mit.edu>
In-Reply-To: <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu>
Cc: kerberos@mit.edu
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just build trunk and did the same test again.
The problem doesn't occur with kinit from trunk
Regards,
Mark
Luke Howard wrote:
> Mark,
>
> Are you able to test whether this still occurs with trunk?
>
> regards,
>
> -- Luke
>
> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote:
>
> Hi,
>
> I noticed a problem with kinit form krb-1.7. In case of a wrong
> password, kinit tries up to 8 times to get initial credentials.
> This happens if the KDC is an active directory controller:
>
> # kinit user
> Password for user@MYDOMAIN.EXAMPLE: <wrong password>
> kinit: Looping detected inside krb5_get_in_tkt while getting initial
> credentials
>
> Wireshark shows the following sequence:
>
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>
> This leads to a problem if account lookout policies are enabled.
> Users get locked out after entering just one wrong password:
>
> # kinit user
> Password for user@MYDOMAIN.EXAMPLE: <wrong password>
> kinit: Clients credentials have been revoked while getting initial
> credentials
> #
>
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
> NTATUS_ACCOUNT_LOCKED_OUT
>
>
> My active directory is a win2k3-r2.
>
> My /etc/krb5.conf looks like this:
>
> [libdefaults]
> default_realm = MYDOMAIN.EXAMPLE
> [realms]
> MYDOMAIN.EXAMPLE = {
> kdc = 10.10.10.26
> }
>
>
> Is there an option to prevent kinit from looping?
>
> Regards,
>
> Mark Pröhl
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkrM5ekACgkQNP9kGj7lDw5u9ACfT2C+9NE6hYra11WTsfJKBKl3
YhgAniCsK+oMrwOxJGxKYwl84qTSfCLN
=S3I6
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
