Received: from cathode-dark-space.mit.edu (daemon@CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) by krbdev.mit.edu (8.9.3p2) with ESMTP id QAA20523; Wed, 11 Feb 2004 16:47:35 -0500 (EST)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9) id i1BLlYcc003530; Wed, 11 Feb 2004 16:47:34 -0500 (EST)
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata
References: <rt-2110-9804.7.16690877899012@krbdev.mit.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 11 Feb 2004 16:47:34 -0500
In-Reply-To: <rt-2110-9804.7.16690877899012@krbdev.mit.edu> (rt-comment@krbdev.mit.edu's message of "Wed, 11 Feb 2004 16:39:37 -0500 (EST)")
Message-Id: <ldvekt18f0p.fsf@cathode-dark-space.mit.edu>
Lines: 24
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 1044

>>>>> "DEEngert" == DEEngert@anl gov via RT <rt-comment@krbdev.mit.edu> writes:

DEEngert> to a 1.2.8 KDC, I can get it to fail if the user principal has 
DEEngert> the REQUIRE_PRE_AUTH attribute. When it is not set the kinit works. 

DEEngert> Have you tried this combination? 

DEEngert> kinit output:
 
DEEngert> orleans.ctd.anl.gov% kinit -m b17783@KRB5.ANL.GOV
DEEngert> kinit(v5): Preauthentication failed while getting initial credentials


DEEngert> KDC log:

DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: no valid preauth type found: Unknown code 0
DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {1 3 16 23}) 146.137.180.252(88): PREAUTH_FAILED: b17783@KRB5.ANL.GOV for krbtgt/KRB5.ANL.GOV@KRB5.ANL.GOV, Preauthentication failed

I think the code is functioning as I expect it to, in this case.
After all, you require preauth, and you didn't provide any preauth
that it understood.  Or are you saying that it should ask for
additional preauth rather than returning "preauth failed"?

---Tom