Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) Subject: kinit fails when password-change required attribute is set X-RT-Original-Encoding: iso-8859-1 Content-Length: 2797 When kinit is used to obtain an initial ticket, if the passwd change required attribute is set (pwchg attribute in case of HP-UX kerberos servers) for the principal, kinit fails with 'Realm unknown' error instead of asking for a new password. I have attached the fix below. Source files changed: /vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c Source file changed *************** *** /vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c --- /vob/krb5-1.3.3/src/lib/krb5/krb/gic_pwd.c.fix *** 131,143 **** if (ret == 0) goto cleanup; /* If all the kdc's are unavailable, or if the error was due to a user interrupt, or preauth errored out, fail */ if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_PREAUTH_FAILED) || ! (ret == KRB5_LIBOS_PWDINTR) || ! (ret == KRB5_REALM_CANT_RESOLVE)) goto cleanup; /* if the reply did not come from the master kdc, try again with --- 131,147 ---- if (ret == 0) goto cleanup; + /* If it's passwd change */ + if (ret == KRB5KDC_ERR_KEY_EXP) + goto passwd_chg; + /* If all the kdc's are unavailable, or if the error was due to a user interrupt, or preauth errored out, fail */ if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_PREAUTH_FAILED) || ! (ret == KRB5_LIBOS_PWDINTR) /*|| ! (ret == KRB5_REALM_CANT_RESOLVE)*/) goto cleanup; /* if the reply did not come from the master kdc, try again with *************** *** 163,174 **** /* if the master is unreachable, return the error from the slave we were able to contact */ if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE) || ! (ret2 == KRB5_REALM_UNKNOWN)) ! goto cleanup; - ret = ret2; } #ifdef USE_LOGIN_LIBRARY --- 167,180 ---- /* if the master is unreachable, return the error from the slave we were able to contact */ + ret = ret2; + if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE) || ! (ret2 == KRB5_REALM_UNKNOWN)) { ! goto cleanup; ! } } #ifdef USE_LOGIN_LIBRARY *************** *** 179,185 **** /* at this point, we have an error from the master. if the error is not password expired, or if it is but there's no prompter, return this error */ ! if ((ret != KRB5KDC_ERR_KEY_EXP) || (prompter == NULL)) goto cleanup; --- 185,191 ---- /* at this point, we have an error from the master. if the error is not password expired, or if it is but there's no prompter, return this error */ ! passwd_chg: if ((ret != KRB5KDC_ERR_KEY_EXP) || (prompter == NULL)) goto cleanup;