Re: Why Kerberos performs account management before authentication?

From: Gleb Popov <arrowd_at_freebsd.org>
Date: Fri, 11 Oct 2024 15:30:48 UTC
On Fri, Oct 11, 2024 at 6:09 PM Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> I just tested this on my MIT KRB5 KDC. I created a principal and expired it
> at 0800U (my timezone U = PDT). Here are the results:
>
> slippy$ kinit cytest
> cytest@CWSENT.COM's Password:
> kinit: Password incorrect
>
> My MIT KRB5 KDC returns password incorrect to the FreeBSD Heimdal kinit for
> the expired principal.
>
> slippy$ /usr/local/bin/kinit cytest
> Password for cytest@CWSENT.COM:
> kinit: Password incorrect while getting initial credentials
> slippy$
>
> It also returns password incorrect to the MIT KRB5 kinit.
>
> What you're seeing is M$ A/D behavior.
>

This is peculiar. Thanks for conducting the test! I'll try this out myself too.