[31548] in Kerberos
Re: kinit-1.7: wrong passwords lock active directory accounts
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Wed Oct 7 18:23:05 2009
Message-ID: <4ACCE797.5060705@mproehl.net>
Date: Wed, 07 Oct 2009 21:10:15 +0200
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: Luke Howard <lhoward@mit.edu>
In-Reply-To: <505D4864-97B8-449D-ABF0-5CD324A0193E@mit.edu>
Cc: Kerberos List <kerberos@mit.edu>
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Luke,
The problem doesn't occur in 1.6 (tested with debian lenny package).
Regards,
Mark
Luke Howard wrote:
> Hi Mark,
>
> Yes, I think this was a bug in the referral handling code that I fixed
> whilst implementing something else (S4U).
>
> Do you know if it occurred with 1.6 or was a regression with 1.7?
>
> regards,
>
> -- Luke
>
> On 07/10/2009, at 9:03 PM, Mark Pröhl wrote:
>
> I just build trunk and did the same test again.
> The problem doesn't occur with kinit from trunk
>
> Regards,
>
> Mark
>
> Luke Howard wrote:
>>>> Mark,
>>>>
>>>> Are you able to test whether this still occurs with trunk?
>>>>
>>>> regards,
>>>>
>>>> -- Luke
>>>>
>>>> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote:
>>>>
>>>> Hi,
>>>>
>>>> I noticed a problem with kinit form krb-1.7. In case of a wrong
>>>> password, kinit tries up to 8 times to get initial credentials.
>>>> This happens if the KDC is an active directory controller:
>>>>
>>>> # kinit user
>>>> Password for user@MYDOMAIN.EXAMPLE: <wrong password>
>>>> kinit: Looping detected inside krb5_get_in_tkt while getting initial
>>>> credentials
>>>>
>>>> Wireshark shows the following sequence:
>>>>
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>>
>>>> This leads to a problem if account lookout policies are enabled.
>>>> Users get locked out after entering just one wrong password:
>>>>
>>>> # kinit user
>>>> Password for user@MYDOMAIN.EXAMPLE: <wrong password>
>>>> kinit: Clients credentials have been revoked while getting initial
>>>> credentials
>>>> #
>>>>
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
>>>> NTATUS_ACCOUNT_LOCKED_OUT
>>>>
>>>>
>>>> My active directory is a win2k3-r2.
>>>>
>>>> My /etc/krb5.conf looks like this:
>>>>
>>>> [libdefaults]
>>>> default_realm = MYDOMAIN.EXAMPLE
>>>> [realms]
>>>> MYDOMAIN.EXAMPLE = {
>>>> kdc = 10.10.10.26
>>>> }
>>>>
>>>>
>>>> Is there an option to prevent kinit from looping?
>>>>
>>>> Regards,
>>>>
>>>> Mark Pröhl
>>>>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkrM55cACgkQNP9kGj7lDw4GpwCgp3mEeh07x28nTT2RBfwUhcNr
HbQAniwBjPS+Sh02bSwiDeNxpTkgMfXr
=tD6k
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
