[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?

On Mon, 17 Dec 2007 18:08:30 -0800
"Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:
> On Dec 17, 2007, at 4:53 PM, Michael B Allen wrote:
> >   Valid starting     Expires            Service principal
> >   12/17/07 19:40:19  12/17/07 19:42:41  kadmin/changepw@W.NET
> >           renew until 12/17/07 19:42:19, Flags: RIA
> Here it is.  See the "I" (= initial) flag?
> If you get a tgt and use it to get the kadmin/changepw service ticket  
> then the service ticket won't have that flag set.  The change  
> password service could use that flag to *require* the user to re- 
> authenticate directly for the service, instead of using a tgt that  
> already existed.

Yes. AD does in fact require the initial flag when changing your own
password. That was my original question and why I started this thread. I
do not know if any behavior has changed either in Heimdal or AD but I
used kpasswd from 0.7.2 and Windows 2003 Server.


Michael B Allen
PHP Active Directory SPNEGO SSO