Tom Yu via RT wrote: > > >>>>> "DEEngert" == DEEngert@anl gov via RT writes: > > DEEngert> to a 1.2.8 KDC, I can get it to fail if the user principal has > DEEngert> the REQUIRE_PRE_AUTH attribute. When it is not set the kinit works. > > DEEngert> Have you tried this combination? > > DEEngert> kinit output: > > DEEngert> orleans.ctd.anl.gov% kinit -m b17783@KRB5.ANL.GOV > DEEngert> kinit(v5): Preauthentication failed while getting initial credentials > > DEEngert> KDC log: > > DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: no valid preauth type found: Unknown code 0 > DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {1 3 16 23}) 146.137.180.252(88): PREAUTH_FAILED: b17783@KRB5.ANL.GOV for krbtgt/KRB5.ANL.GOV@KRB5.ANL.GOV, Preauthentication failed > > I think the code is functioning as I expect it to, in this case. No. > After all, you require preauth, and you didn't provide any preauth > that it understood. Or are you saying that it should ask for > additional preauth rather than returning "preauth failed"? Yes, on the first AS-REQ the client does not know what preauth if any is required. So it justs sends the PA-PAC-REQUEST. It has to do this on the first request, as preauth may not be needed. If preauth is not required the KDC ignores the PA-PAC-REQUEST and it works. If preauth is required, a krb-error SHOULD be sent saying which preauths can be used. I thing the KDC code sees some preauth data, (PA-PAC-REQEUST) but not any it can use, and assumes that this must be a second AS-REQ request and it assumes it has already sent the client a krb-error with the list of preauths. So the KDC sends the failed message, and never sends the list or required preauths. > > ---Tom -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444