Received: from hermes.ctd.anl.gov (hermes.ctd.anl.gov [130.202.113.27]) by krbdev.mit.edu (8.9.3p2) with ESMTP id QAA20508; Wed, 11 Feb 2004 16:39:34 -0500 (EST) Received: from hermes.ctd.anl.gov (localhost [127.0.0.1]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id PAA12776 for ; Wed, 11 Feb 2004 15:39:03 -0600 (CST) Received: from anl.gov (atalanta.ctd.anl.gov [146.137.194.4]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id PAA12754; Wed, 11 Feb 2004 15:39:01 -0600 (CST) Message-Id: <402AA115.7CCACA7@anl.gov> Date: Wed, 11 Feb 2004 15:39:33 -0600 From: "Douglas E. Engert" X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Sam Hartman Cc: rt-comment@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata References: <401EB351.4A6AD67@anl.gov> <40296378.3D0B2D47@anl.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 1052 Sam Hartman wrote: > > Hi, Doug. I applied your patches and they seemed to work. > > However I was unable to reproduce the error you got against a 1.2.x or > 1.3.x KDC. I was able to reproduce this problem against a 1.0.7 KDC. Using a modified 1.3.2 kinit: kinit -m b17783@KRB5.ANL.GOV to a 1.2.8 KDC, I can get it to fail if the user principal has the REQUIRE_PRE_AUTH attribute. When it is not set the kinit works. Have you tried this combination? kinit output: orleans.ctd.anl.gov% kinit -m b17783@KRB5.ANL.GOV kinit(v5): Preauthentication failed while getting initial credentials KDC log: Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: no valid preauth type found: Unknown code 0 Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {1 3 16 23}) 146.137.180.252(88): PREAUTH_FAILED: b17783@KRB5.ANL.GOV for krbtgt/KRB5.ANL.GOV@KRB5.ANL.GOV, Preauthentication failed -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444