>>>>> "DEEngert" == DEEngert@anl gov via RT <rt-comment@krbdev.mit.edu> writes:

DEEngert> to a 1.2.8 KDC, I can get it to fail if the user principal has 
DEEngert> the REQUIRE_PRE_AUTH attribute. When it is not set the kinit works. 

DEEngert> Have you tried this combination? 

DEEngert> kinit output:
 
DEEngert> orleans.ctd.anl.gov% kinit -m b17783@KRB5.ANL.GOV
DEEngert> kinit(v5): Preauthentication failed while getting initial credentials


DEEngert> KDC log:

DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: no valid preauth type found: Unknown code 0
DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {1 3 16 23}) 146.137.180.252(88): PREAUTH_FAILED: b17783@KRB5.ANL.GOV for krbtgt/KRB5.ANL.GOV@KRB5.ANL.GOV, Preauthentication failed

I think the code is functioning as I expect it to, in this case.
After all, you require preauth, and you didn't provide any preauth
that it understood.  Or are you saying that it should ask for
additional preauth rather than returning "preauth failed"?

---Tom