[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Password expiration/aging?
On Thu, 17 Aug 2006, Alf Wachsmann wrote:
> I am doing some experimenting with password expiration and found that
> not much is working in Heimdal.
A colleague found the problem: our kadmin/changepw@SLAC.STANFORD.EDU
principal did not have the right attributes (pwchange-service,
disallow-tgt-based) set. Instead, there is another principal,
changepw/kerberos@SLAC.STANFORD.EDU, which seem to have been created
at realm setup that had the right attributes but it is, of course,
the wrong principal :-{
I don't know why the kadmin/changepw principal's attributes were not
set at realm setup.
> - When I set the password expiration time by hand to a time before now
> kadmin> mod --pw-expiration-time=2006-08-16 vanilla
> I cannot get a TGT - which is good - but I also cannot change the
> password:
With the above change, this is now working.
-- Alf.
-----------------------------------------------------------------------
Alf Wachsmann | e-mail: alfw@slac.stanford.edu
SLAC - Scientific Computing | Phone: +1-650-926-4802
2575 Sand Hill Road, M/S 97 | FAX: +1-650-926-3329
Menlo Park, CA 94025, USA | Office: Bldg. 50/323
-----------------------------------------------------------------------
http://www.slac.stanford.edu/~alfw (PGP)
-----------------------------------------------------------------------