[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Password expiration/aging?

On Thu, 17 Aug 2006, Alf Wachsmann wrote:
> I am doing some experimenting with password expiration and found that
> not much is working in Heimdal.

A colleague found the problem: our kadmin/changepw@SLAC.STANFORD.EDU
principal did not have the right attributes (pwchange-service,
disallow-tgt-based) set. Instead, there is another principal,
changepw/kerberos@SLAC.STANFORD.EDU, which seem to have been created
at realm setup that had the right attributes but it is, of course,
the wrong principal :-{

I don't know why the kadmin/changepw principal's attributes were not
set at realm setup.

> - When I set the password expiration time by hand to a time before now
> 	kadmin> mod --pw-expiration-time=2006-08-16 vanilla
>   I cannot get a TGT - which is good - but I also cannot change the
>   password:

With the above change, this is now working.

-- Alf.

  Alf Wachsmann                       | e-mail: alfw@slac.stanford.edu
  SLAC - Scientific Computing         | Phone:  +1-650-926-4802
  2575 Sand Hill Road, M/S 97         | FAX:    +1-650-926-3329
  Menlo Park, CA 94025, USA           | Office: Bldg. 50/323
                http://www.slac.stanford.edu/~alfw (PGP)