Re: Password expiration/aging?

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

Our 0.6 to 0.7 upgrade script included the following:

/usr/heimdal/sbin/kadmin -l mod --attributes=pwchange- 
service,disallow-proxiable,disallow-renewable,disallow-tgt- 
based,disallow-forwardable,disallow-postdated kadmin/ 
changepw@JPL.NASA.GOV

Most of the extras were just me being neurotic, but I think at least  
one of them was needed for Solaris kpasswd compatibility.  I did the  
same thing to both principals.

On Aug 17, 2006, at 10:50 AM, Alf Wachsmann wrote:

> On Thu, 17 Aug 2006, Alf Wachsmann wrote:
>> I am doing some experimenting with password expiration and found that
>> not much is working in Heimdal.
>
> A colleague found the problem: our kadmin/changepw@SLAC.STANFORD.EDU
> principal did not have the right attributes (pwchange-service,
> disallow-tgt-based) set. Instead, there is another principal,
> changepw/kerberos@SLAC.STANFORD.EDU, which seem to have been created
> at realm setup that had the right attributes but it is, of course,
> the wrong principal :-{
>
> I don't know why the kadmin/changepw principal's attributes were not
> set at realm setup.
>
>
>> - When I set the password expiration time by hand to a time before  
>> now
>> 	kadmin> mod --pw-expiration-time=2006-08-16 vanilla
>>   I cannot get a TGT - which is good - but I also cannot change the
>>   password:
>
> With the above change, this is now working.
>
> -- Alf.

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu