>>>>> "Jered" == Jered Floyd via RT writes: Jered> Rather, when I type the principal's password correctly, both kinit Jered> and saslauthd succeed. When I give an incorrect password, both Jered> log the error that I reported. Jered> Arguably, the error message is not particularly good at indicating Jered> that the password is incorrect. I agree. Inspection of the code in verify_enc_timestamp() reveals that if a key is found that matches the enctype in the encrypted timestamp preauth, and the decryption fails, the loop continues. This is presumably because the encrypted timestamp preauth doesn't carry salt information or any other information that would permit the KDC to correctly choose between multiple keys having the same enctype but having different salts. Probably the correct thing to do is to set a flag when decryption is attempted, so that if the loop exits with an error of NO_MATCHING_KEY and the flag is set, the KDC will correctly report a bad password. ---Tom