[31549] in Kerberos
Re: kinit-1.7: wrong passwords lock active directory accounts
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Wed Oct 7 18:23:29 2009
Date: Wed, 7 Oct 2009 15:33:43 -0400 (EDT)
From: ghudson@mit.edu
Message-Id: <200910071933.n97JXhcp001209@outgoing.mit.edu>
To: Mark Pröhl <mark@mproehl.net>
In-Reply-To: <4ACCE946.1030808@mproehl.net>
MIME-version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The following patch is not the eventual fix, but should effectively
prevent looping. Basically, it will cause kinit to stop after a
KDC_ERR_PREAUTH_FAILED error, instead of attempting to try other
preauth mechanisms.
Index: get_in_tkt.c
===================================================================
--- get_in_tkt.c (revision 22396)
+++ get_in_tkt.c (working copy)
@@ -1331,8 +1331,7 @@
&out_padata, &retry);
if (ret !=0)
goto cleanup;
- if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED)
-&& retry) {
+ if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) {
/* reset the list of preauth types to try */
if (preauth_to_use) {
krb5_free_pa_data(context, preauth_to_use);
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
