Miscellaneous questions regarding krb5.conf?

Subject: Miscellaneous questions regarding krb5.conf?

From: jay alvarez <kerber0sb0y@yahoo.com>

Date: Wed, 14 Dec 2005 19:49:00 -0800 (PST)

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=CsDBiSWgjBveu4np+v/SoIwpEsBHjBtUurpRXdP0rAyEs3H81ChtNAtopiWb40kuIo+XQg4uAtTKicYiNlOola7yMh3lXPk+iTytQDFiD08mjpTPWDdLorRwBJcDhw6P8ZOJOK4dCniD2YPl5XkPJYmX29TGs9luSCFmkG9PcOE= ;

Sender: owner-heimdal-discuss@sics.se

Good day!

I have a few questions:

1. Where is that [password_quality] section located in the manual as discussed in this link: http://www.openinput.com/auth-howto/ar01s06.html, where I can set the minimum password length as well as the allowable characters and possible the invalid password possibly taken from dictionary?

2. "privilages" command in kadmin doesn't work
3. perhaps the krb5.conf manual should indicate which sections/bindings is for a client and which is for a server. When I kinit from a machine with a lifetime of "10 hours" (kinit -l "10 hours" myusername@OUR.REALM) I got a ticket with a ten hours lifetime even if the "ticket_lifetime" in the [libdefaults] section of the kdc's krb5.conf is set to only 8 hours as well as in the clients krb5.conf.

4. How can I enforce the attributes of the tickets obtained from the kdc by a client (eg. I don't want any ticket to be forwardable?) I noticed that kinit uses! the [libdefaults] section to look for possible ticket attributes even though none of those attributes exists in the kdc's krb5.conf (libdefaults) section.

That's all for now...
Thanks.

Yahoo! Shopping