[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?

To: Michael B Allen <miallen@ioplex.com>
Subject: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 17 Dec 2007 18:08:30 -0800
Cc: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <20071217195320.20cecddf.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20071215002814.96a09bd7.miallen@ioplex.com> <20071215145744.2f9d97cd.miallen@ioplex.com> <6CBB7ABC-51C9-4F28-8DDD-D79FC383817B@kth.se> <438F58B6-0CE2-4381-858F-0B9F9102679C@jpl.nasa.gov> <20071217195320.20cecddf.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Dec 17, 2007, at 4:53 PM, Michael B Allen wrote:

> On Mon, 17 Dec 2007 15:16:30 -0800
> "Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:
>> On Dec 15, 2007, at 2:35 PM, Love Hörnquist Åstrand wrote:
>>>> Ultimately I just needed to pass 'kadmin/changepw' to
>>>> krb5_get_init_creds_password. The resulting ccache can then be used
>>>> with krb5_set_password_using_ccache.
>>>
>>> You are correct, initial tickets are needed to change password.
>>>
>>> kinit -S kadmin/changepw will work too.
>>
>> Hmmm.  I thought the service ticket needed the "initial" flag to be
>> accepted, which translated to needing the "kinit -S".  Didn't think
>> it was allowed to use a tgt intermediary.
>>
>> Did that change, or did the clients just not support it?  (I'm
>> comparing to 0.6-ish.)
>
> Hi Henry,
>
> Not really sure what you're asking. The -S gets an initial ticket with
> the specified service name so it seems kpasswd uses that ticket  
> directly.

Only question is if the behavior changed.

> Just for kicks I tried it and it works as advertised.
>
>   $ kinit -S kadmin/changepw bcarter@W.NET
>   Password for bcarter@W.NET:
>   $ ./kpasswd -c /tmp/krb5cc_1000 bcarter@W.NET
>   New password for bcarter@W.NET:
>   Verify password - New password for bcarter@W.NET:
>   Success
>   $ klist -f
>   Ticket cache: FILE:/tmp/krb5cc_1000
>   Default principal: bcarter@W.NET
>
>   Valid starting     Expires            Service principal
>   12/17/07 19:40:19  12/17/07 19:42:41  kadmin/changepw@W.NET
>           renew until 12/17/07 19:42:19, Flags: RIA

Here it is.  See the "I" (= initial) flag?

If you get a tgt and use it to get the kadmin/changepw service ticket  
then the service ticket won't have that flag set.  The change  
password service could use that flag to *require* the user to re- 
authenticate directly for the service, instead of using a tgt that  
already existed.

(Think of someone walking up to an already-authenticated  
workstation.  Don't want them to change the password, just because  
someone forgot to lock the screen.)

>
>   Kerberos 4 ticket cache: /tmp/tkt1000
>   klist: You have no tickets cached
>
> Note that the ticket's only good for about 2 minutes (and AD doesn't
> seem to care if you ask for more time) so you have to be a fast
> typer. Otherwise you get:
>
>   $ ./kpasswd -c /tmp/krb5cc_1000 bcarter@W.NET
>   New password for bcarter@W.NET:
>   Verify password - New password for bcarter@W.NET:
>   kpasswd: krb5_set_password_using_ccache: Matching credential not  
> found
>
> Mike
>
> PS: I used MIT kinit and klist whereas I used Heimdal kpasswd because
> it supports the -c option but of course it shouldn't make any  
> difference.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>

References:
- kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Next by Date: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Prev by thread: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Next by thread: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Index(es):
- Date
- Thread