[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
On Mon, 17 Dec 2007 18:08:30 -0800
"Henry B. Hotz" <email@example.com> wrote:
> On Dec 17, 2007, at 4:53 PM, Michael B Allen wrote:
> > Valid starting Expires Service principal
> > 12/17/07 19:40:19 12/17/07 19:42:41 kadmin/changepw@W.NET
> > renew until 12/17/07 19:42:19, Flags: RIA
> Here it is. See the "I" (= initial) flag?
> If you get a tgt and use it to get the kadmin/changepw service ticket
> then the service ticket won't have that flag set. The change
> password service could use that flag to *require* the user to re-
> authenticate directly for the service, instead of using a tgt that
> already existed.
Yes. AD does in fact require the initial flag when changing your own
password. That was my original question and why I started this thread. I
do not know if any behavior has changed either in Heimdal or AD but I
used kpasswd from 0.7.2 and Windows 2003 Server.
Michael B Allen
PHP Active Directory SPNEGO SSO