[19138] in Kerberos
Re: Kerberos for AD Authentication
daemon@ATHENA.MIT.EDU (Marcus Watts)
Mon Apr 28 19:47:51 2003
Message-Id: <200304282346.TAA13263@quince.ifs.umich.edu>
to: kerberos@mit.edu
In-reply-to: Your message of "Mon, 28 Apr 2003 17:43:26 CDT."
<BB48F73042D29D41A033A684D5FBB98405DCB3EB@exchange.uta.edu>
Date: Mon, 28 Apr 2003 19:46:16 -0400
From: Marcus Watts <mdw@umich.edu>
Errors-To: kerberos-bounces@mit.edu
Digant Kasundra <digant@uta.edu> writes:
> Hello folks,
>
> I'm trying to use the kerberos pam module for authenticating a linux machine
> against Active Directory. It works like a charm! But when someone has an
> expired password, it simply says "You must change your password immediately"
> but then still lets them login without changing their password. Is there a
> way to make the module force them to change the password?
Yes.
#1 the pam module should return PAM_NEW_AUTHTOK_REQD
(from pam_sm_acct_mgmt)
#2 the application needs to have code to do the right thing.
(when calling pam_acct_mgmt, check for PAM_NEW_AUTHTOK_REQD,
then perhaps pam_chauthtok(,PAM_CHANGE_EXPIRED_AUTHTOK)
and check for success.)
The k5 pam will need to do extra book-keeping to make this all
work as expected by applications.
#3 good luck making this work with ftpd.
This is with MicroSoft Active Directory is it?
-Marcus Watts
UM ITCS Umich Systems Group
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
