[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Password expiration/aging?
Our 0.6 to 0.7 upgrade script included the following:
/usr/heimdal/sbin/kadmin -l mod --attributes=pwchange-
service,disallow-proxiable,disallow-renewable,disallow-tgt-
based,disallow-forwardable,disallow-postdated kadmin/
changepw@JPL.NASA.GOV
Most of the extras were just me being neurotic, but I think at least
one of them was needed for Solaris kpasswd compatibility. I did the
same thing to both principals.
On Aug 17, 2006, at 10:50 AM, Alf Wachsmann wrote:
> On Thu, 17 Aug 2006, Alf Wachsmann wrote:
>> I am doing some experimenting with password expiration and found that
>> not much is working in Heimdal.
>
> A colleague found the problem: our kadmin/changepw@SLAC.STANFORD.EDU
> principal did not have the right attributes (pwchange-service,
> disallow-tgt-based) set. Instead, there is another principal,
> changepw/kerberos@SLAC.STANFORD.EDU, which seem to have been created
> at realm setup that had the right attributes but it is, of course,
> the wrong principal :-{
>
> I don't know why the kadmin/changepw principal's attributes were not
> set at realm setup.
>
>
>> - When I set the password expiration time by hand to a time before
>> now
>> kadmin> mod --pw-expiration-time=2006-08-16 vanilla
>> I cannot get a TGT - which is good - but I also cannot change the
>> password:
>
> With the above change, this is now working.
>
> -- Alf.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu