[30345] in Kerberos
Re: using REQUIRES_PWCHANGE kinit reports expired passwords
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Oct 9 16:12:08 2008
To: =?iso-8859-1?Q?Eduardo_A_Mu=F1oz?= <eagmunoz@gmail.com>
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 09 Oct 2008 16:10:19 -0400
In-Reply-To: <995e303f0810020028x53518f5fm9ebc15f6a3dcd1c5@mail.gmail.com>
(Eduardo A. =?iso-8859-1?Q?Mu=F1oz's?= message of "Fri,
3 Oct 2008 02:58:05 +1930")
Message-ID: <ldvk5chv8b8.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@MIT.EDU
Content-Transfer-Encoding: 8bit
"Eduardo A Muņoz" <eagmunoz@gmail.com> writes:
> Hi,
>
> Im working with ubuntu 7.10 clients authenticating against kerberos. The
> issue arises when I a set the REQUIRES_PWCHANGE attribute to a user key so
> that in next login they are required to change the password. Some machines (
> not all ) can't authenticate when the mentioned attribute is set , they
> report
> "kinit(v5): Password has expired while getting initial credentials"
>
> (Of course my password expiration time haven't been reached and it reports
> the same working with policies or without it)
>
> if I a unset the attribute, i can obtain the tickets. Like i said this
> behavior is present in some machines , others can get tickets with the
> attribute set or unset with the same principals.
This seems very strange and inconsisent. Are you sure all the client
machines are talking to the same KDC? REQUIRES_PWCHANGE should always
cause authentication failure except for service principals marked as
password-changing service principals.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
