[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
From: Michael B Allen <miallen@ioplex.com>
Date: Mon, 17 Dec 2007 19:53:20 -0500
Cc: heimdal-discuss@sics.se, Love Hörnquist Åstrand<lha@kth.se>
In-Reply-To: <438F58B6-0CE2-4381-858F-0B9F9102679C@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20071215002814.96a09bd7.miallen@ioplex.com><20071215145744.2f9d97cd.miallen@ioplex.com><6CBB7ABC-51C9-4F28-8DDD-D79FC383817B@kth.se><438F58B6-0CE2-4381-858F-0B9F9102679C@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Mon, 17 Dec 2007 15:16:30 -0800
"Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:
> On Dec 15, 2007, at 2:35 PM, Love Hörnquist Åstrand wrote:
> >> Ultimately I just needed to pass 'kadmin/changepw' to
> >> krb5_get_init_creds_password. The resulting ccache can then be used
> >> with krb5_set_password_using_ccache.
> >
> > You are correct, initial tickets are needed to change password.
> >
> > kinit -S kadmin/changepw will work too.
>
> Hmmm.  I thought the service ticket needed the "initial" flag to be  
> accepted, which translated to needing the "kinit -S".  Didn't think  
> it was allowed to use a tgt intermediary.
> 
> Did that change, or did the clients just not support it?  (I'm  
> comparing to 0.6-ish.)

Hi Henry,

Not really sure what you're asking. The -S gets an initial ticket with
the specified service name so it seems kpasswd uses that ticket directly.

Just for kicks I tried it and it works as advertised.

  $ kinit -S kadmin/changepw bcarter@W.NET
  Password for bcarter@W.NET: 
  $ ./kpasswd -c /tmp/krb5cc_1000 bcarter@W.NET
  New password for bcarter@W.NET: 
  Verify password - New password for bcarter@W.NET: 
  Success
  $ klist -f
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: bcarter@W.NET
  
  Valid starting     Expires            Service principal
  12/17/07 19:40:19  12/17/07 19:42:41  kadmin/changepw@W.NET
          renew until 12/17/07 19:42:19, Flags: RIA
  
  
  Kerberos 4 ticket cache: /tmp/tkt1000
  klist: You have no tickets cached

Note that the ticket's only good for about 2 minutes (and AD doesn't
seem to care if you ask for more time) so you have to be a fast
typer. Otherwise you get:

  $ ./kpasswd -c /tmp/krb5cc_1000 bcarter@W.NET
  New password for bcarter@W.NET: 
  Verify password - New password for bcarter@W.NET: 
  kpasswd: krb5_set_password_using_ccache: Matching credential not found

Mike

PS: I used MIT kinit and klist whereas I used Heimdal kpasswd because
it supports the -c option but of course it shouldn't make any difference.

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Follow-Ups:
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: iprop-slave question
Next by Date: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Prev by thread: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Next by thread: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Index(es):
- Date
- Thread