David Maze wrote:
> kinit (from the MIT Kerberos packages, not Heimdal) works as I (and you)
> expect. Where does your kinit come from?
>
> which kinit
> dpkg -S `which kinit`
This is most disturbing. After a check at my home lan where it worked,
of course,
I followed up what kinit I was using at work, where I discovered the
problem:
~$ type -all kinit
kinit is /usr/bin/kinit
~$ ls -l /usr/bin/kinit
lrwxrwxrwx 1 root root 23 Sep 16 14:43 /usr/bin/kinit
-> /etc/alternatives/kinit
~$ ls -l /etc/alternatives/kinit
lrwxrwxrwx 1 root root 27 Sep 16 14:44
/etc/alternatives/kinit -> /usr/lib/j2se/1.4/bin/kinit
!!! On a correctly configured debian box with krb5-user, the
/usr/bin/kinit is a file, not a link!
And the test you suggested makes one think everything is ok, although it
should normally sort it out:
~$ dpkg -S `which kinit`
krb5-user: /usr/bin/kinit
The problem seems to be caused by the thing I did yesterday.
For the first time ever, I installed an unofficial deb, the j2sdk1.4
compiled with gcc-3.2, downloaded from jrfonseca.dyndns.org/debian.
Found the link on apt-get.org.
I didn't exactly read every line of the install progress, but there were
no flashing signs of it overwriting my krb5-user files, kinit and klist!
Yes the other file is also exchanged. There may be more, I haven't
checked yet. I'm really upset by this happening silently...
Interesting thing though, the java stuff worked with mozilla as I
expected.
Now should I consider the whole machine tainted, or is this only a bug?
As a note:
I use the krb5-xxx official packages at version 1.3, and they normally
works lika charm.
With the "fake" kinit, when I write an incorrect password or none at
all, the output looks like the following:
(obviously incorrect password is here sdklakjfd)
~$ kinit
Password for [EMAIL PROTECTED]:sdklakjfd
Exception: krb_error 24 Pre-authentication information was invalid (24)
- PREAUTH_FAILED Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24) -
PREAUTH_FAILED
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:65)
at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
at sun.security.krb5.KrbAsReq.getReply(DashoA6275:271)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:264)
at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:104)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA6275:129)
at sun.security.krb5.internal.au.a(DashoA6275:58)
at sun.security.krb5.internal.au.<init>(DashoA6275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
... 4 more
If I typed the correct I did actually get a TGT, at least the "fake"
klist reported so. Everything was kind of sluggish with these programs.
Cheers,
Anders
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
