[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?

On Dec 17, 2007, at 4:53 PM, Michael B Allen wrote:

> On Mon, 17 Dec 2007 15:16:30 -0800
> "Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:
>> On Dec 15, 2007, at 2:35 PM, Love Hörnquist Åstrand wrote:
>>>> Ultimately I just needed to pass 'kadmin/changepw' to
>>>> krb5_get_init_creds_password. The resulting ccache can then be used
>>>> with krb5_set_password_using_ccache.
>>> You are correct, initial tickets are needed to change password.
>>> kinit -S kadmin/changepw will work too.
>> Hmmm.  I thought the service ticket needed the "initial" flag to be
>> accepted, which translated to needing the "kinit -S".  Didn't think
>> it was allowed to use a tgt intermediary.
>> Did that change, or did the clients just not support it?  (I'm
>> comparing to 0.6-ish.)
> Hi Henry,
> Not really sure what you're asking. The -S gets an initial ticket with
> the specified service name so it seems kpasswd uses that ticket  
> directly.

Only question is if the behavior changed.

> Just for kicks I tried it and it works as advertised.
>   $ kinit -S kadmin/changepw bcarter@W.NET
>   Password for bcarter@W.NET:
>   $ ./kpasswd -c /tmp/krb5cc_1000 bcarter@W.NET
>   New password for bcarter@W.NET:
>   Verify password - New password for bcarter@W.NET:
>   Success
>   $ klist -f
>   Ticket cache: FILE:/tmp/krb5cc_1000
>   Default principal: bcarter@W.NET
>   Valid starting     Expires            Service principal
>   12/17/07 19:40:19  12/17/07 19:42:41  kadmin/changepw@W.NET
>           renew until 12/17/07 19:42:19, Flags: RIA

Here it is.  See the "I" (= initial) flag?

If you get a tgt and use it to get the kadmin/changepw service ticket  
then the service ticket won't have that flag set.  The change  
password service could use that flag to *require* the user to re- 
authenticate directly for the service, instead of using a tgt that  
already existed.

(Think of someone walking up to an already-authenticated  
workstation.  Don't want them to change the password, just because  
someone forgot to lock the screen.)

>   Kerberos 4 ticket cache: /tmp/tkt1000
>   klist: You have no tickets cached
> Note that the ticket's only good for about 2 minutes (and AD doesn't
> seem to care if you ask for more time) so you have to be a fast
> typer. Otherwise you get:
>   $ ./kpasswd -c /tmp/krb5cc_1000 bcarter@W.NET
>   New password for bcarter@W.NET:
>   Verify password - New password for bcarter@W.NET:
>   kpasswd: krb5_set_password_using_ccache: Matching credential not  
> found
> Mike
> PS: I used MIT kinit and klist whereas I used Heimdal kpasswd because
> it supports the -c option but of course it shouldn't make any  
> difference.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu