[37308] in Kerberos
Re: Account unlocking and kadmin
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Nov 7 12:12:10 2015
To: John Devitofranceschi <foonon@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <563E30E0.903@mit.edu>
Date: Sat, 7 Nov 2015 12:12:00 -0500
MIME-Version: 1.0
In-Reply-To: <68483060-09A3-4560-99DE-6ACC6B9EB99D@gmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 11/07/2015 12:00 PM, John Devitofranceschi wrote:
> Might it be the case that administrative account unlocking using kadmin (modprinc -unlock princname) will fail in some cases if the version of kadmin is not sufficiently modern?
>
> For example, kadmin from 1.8.2 can be used to a unlock a principal on a 1.13.2 master, but not when the principal is locked on one of the slaves (when propagating from the master).
>
> When a 1.13.2 kadmin is used, "modprinc -unlockā works for the master and the slaves.
Yes, the client participates in setting the last-administrative-unlock
timestamp during an unlock, and that code was added in 1.9.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
