On Wed Mar 24 15:02:03 2004, Ken Hornstein said: >>Could you elaborate a bit? First of all, does 'error' include just >>incorrect password (because the new, correct, one hasn't yet propagated)? > > Since you asked ... currently, the following list of error codes is ones > that the KDC will _not_ retry on: > > KRB5_KDC_UNREACH > KRB5_PREAUTH_FAILED > KRB5_LIBOS_PWDINTR > KRB5_REALM_CANT_RESOLVE
Unfortunately, PREAUTH_FAILED corresponds to the password being deemed incorrect, since we have requires_preauth on all user principals. So, in our case, if the user happens to hit the secondary server right after doing a password change, no doubt this will cause an error message. But as I said before, I think users just try again, on the assumption they made a typo. They'll likely hit the primary server on the next try (or two!). Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
