[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
From: Michael B Allen <miallen@ioplex.com>
Date: Mon, 17 Dec 2007 21:49:25 -0500
Cc: heimdal-discuss@sics.se, Love Hörnquist Åstrand<lha@kth.se>
In-Reply-To: <B822AA15-0BDE-4F42-AADF-96EBC68DCD18@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20071215002814.96a09bd7.miallen@ioplex.com><20071215145744.2f9d97cd.miallen@ioplex.com><6CBB7ABC-51C9-4F28-8DDD-D79FC383817B@kth.se><438F58B6-0CE2-4381-858F-0B9F9102679C@jpl.nasa.gov><20071217195320.20cecddf.miallen@ioplex.com><B822AA15-0BDE-4F42-AADF-96EBC68DCD18@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Mon, 17 Dec 2007 18:08:30 -0800
"Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:
> On Dec 17, 2007, at 4:53 PM, Michael B Allen wrote:
> >   Valid starting     Expires            Service principal
> >   12/17/07 19:40:19  12/17/07 19:42:41  kadmin/changepw@W.NET
> >           renew until 12/17/07 19:42:19, Flags: RIA
> 
> Here it is.  See the "I" (= initial) flag?
> 
> If you get a tgt and use it to get the kadmin/changepw service ticket  
> then the service ticket won't have that flag set.  The change  
> password service could use that flag to *require* the user to re- 
> authenticate directly for the service, instead of using a tgt that  
> already existed.

Yes. AD does in fact require the initial flag when changing your own
password. That was my original question and why I started this thread. I
do not know if any behavior has changed either in Heimdal or AD but I
used kpasswd from 0.7.2 and Windows 2003 Server.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

References:
- kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Next by Date: =?BIG5?B?pb+qqaS9pXGxwsV2oUG3arRNtlKuYaSs?= =?BIG5?B?sMqmqKXmqHSyzrZXp0OvU7v5pXWtbjEw?= =?BIG5?B?MDCkuDIwMDcvMTIvMTggpFWkyCAwNTo0NToyOQ==?=
Prev by thread: Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?
Next by thread: Heimdal 1.0.2
Index(es):
- Date
- Thread