[31552] in Kerberos
Re: kinit-1.7: wrong passwords lock active directory accounts
daemon@ATHENA.MIT.EDU (Luke Howard)
Wed Oct 7 18:40:16 2009
Mime-Version: 1.0 (Apple Message framework v1076)
From: Luke Howard <lhoward@mit.edu>
In-Reply-To: <4ACCA005.9050605@mproehl.net>
Date: Wed, 7 Oct 2009 18:37:39 +0200
Message-Id: <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu>
To: mark@mproehl.net
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Mark,
Are you able to test whether this still occurs with trunk?
regards,
-- Luke
On 07/10/2009, at 4:04 PM, Mark Pröhl wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I noticed a problem with kinit form krb-1.7. In case of a wrong
> password, kinit tries up to 8 times to get initial credentials.
> This happens if the KDC is an active directory controller:
>
> # kinit user
> Password for user@MYDOMAIN.EXAMPLE: <wrong password>
> kinit: Looping detected inside krb5_get_in_tkt while getting initial
> credentials
>
> Wireshark shows the following sequence:
>
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
>
> This leads to a problem if account lookout policies are enabled.
> Users get locked out after entering just one wrong password:
>
> # kinit user
> Password for user@MYDOMAIN.EXAMPLE: <wrong password>
> kinit: Clients credentials have been revoked while getting initial
> credentials
> #
>
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status:
> NTATUS_ACCOUNT_LOCKED_OUT
>
>
> My active directory is a win2k3-r2.
>
> My /etc/krb5.conf looks like this:
>
> [libdefaults]
> default_realm = MYDOMAIN.EXAMPLE
> [realms]
> MYDOMAIN.EXAMPLE = {
> kdc = 10.10.10.26
> }
>
>
> Is there an option to prevent kinit from looping?
>
> Regards,
>
> Mark Pröhl
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J
> nngAnie9sNg/bimKdKYmKTDWLuBC3meD
> =tusl
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
