[39419] in Kerberos
Re: Force to change password for users
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Apr 19 12:28:36 2024
Message-ID: <eea80750-d5a6-48f9-b2c4-4efc399655e5@mit.edu>
Date: Fri, 19 Apr 2024 12:27:18 -0400
MIME-Version: 1.0
To: Carlos Lopez <clopmz@outlook.com>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Language: en-US
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <PRAP251MB056715F9F72A4C47C0AE558CDB0D2@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 4/19/24 08:06, Carlos Lopez wrote:
> [...] AS_REQ [...] REQUIRED PWCHANGE: user1@MYDOM.ORG for krbtgt/MYDOM.ORG@MYDOM.ORG, Password has expired
> [...] AS_REQ [...] NEEDED_PREAUTH: user1@MYDOM.ORG for kadmin/changepw@MYDOM.ORG, Additional pre-authentication required
> [...] AS_REQ [...] ISSUE: [...] user1@MYDOM.ORG for kadmin/changepw@MYDOM.ORG
>
> But in the client side, user can login without problems and no password change is requested.
These are the messages I would expect in the log, including user1
getting a ticket to perform a password change.
You say the user can log in. Do they have tickets, or do you just mean
a login session is authorized based on the Kerberos interaction? What
client-side software is being used?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
