[36676] in Kerberos
Re: Problems when using kadmin instead of kadmin.local
daemon@ATHENA.MIT.EDU (Marc Richter)
Thu Dec 18 05:36:53 2014
Message-ID: <5492AE32.9010408@marc-richter.info>
Date: Thu, 18 Dec 2014 11:36:34 +0100
From: Marc Richter <mail@marc-richter.info>
MIME-Version: 1.0
To: Tom Yu <tlyu@mit.edu>
In-Reply-To: <ldvtx0uqdg7.fsf@sarnath.mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Tom,
your answer seems to have pointed me into the right direction: It seems
as if it stands in relation with the very large values I assigned:
kadmin: get_policy admin
Policy: admin
Maximum password life: 2592000
Minimum password life: 86400
Minimum password length: 10
Minimum number of password character classes: 3
Number of old keys kept: 10
Reference count: 0
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin: modify_policy -maxlife 36500days -minlife 1day -minlength 12
-minclasses 3 -history 30 admin
modify_policy: Communication failure with server while modifying policy
"admin".
kadmin: modify_policy -maxlife 31days -minlife 1day -minlength 12
-minclasses 3 -history 30 admin
kadmin:
Thank you for pointing me to that!
The OS running is Debian amd64 x86_64, so yeah: 64-bit platform.
When I was playing around with the possible policy features, I searched
for a value like "forever" for '-maxlife'. Since I didn't find that, I
set 100 years instead (36500days). That I can set it to '0' or leave it
away completely to achieve that, hasn't come to my mind.
Not sure if this has to be classified as a bug or not now ... normally,
kadmin and kadmin.local should behave the same way, so I'd say it is,
even though the value I used is stupid, it shouldn't lead to that behavior.
Thanks for your help!
Am 17.12.2014 um 20:32 schrieb Tom Yu:
> Marc Richter <mail@marc-richter.info> writes:
>
>> root@deb-krb:/etc# kadmin.local -m -p user/admin@EXAMPLE.COM
>> Authenticating as principal user/admin@EXAMPLE.COM with password.
>> Enter KDC database master key:
>> kadmin.local: get_policy admin
>> Policy: admin
>> Maximum password life: 3153600000
>
> Do you get a failure when attempting to do any remote kadmin operation
> that doesn't involve setting or retrieving a password life that is
> greater than 2**31? Also, is this a 64-bit platform?
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
