[17569] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Apr 6 17:11:37 2012
From: Russ Allbery <rra@stanford.edu>
To: krbdev@mit.edu
In-Reply-To: <4F7F5389.50303@mit.edu> (Greg Hudson's message of "Fri, 06 Apr
2012 16:35:21 -0400")
Date: Fri, 06 Apr 2012 14:11:32 -0700
Message-ID: <877gxs5zwb.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Greg Hudson <ghudson@MIT.EDU> writes:
> On 04/06/2012 04:09 PM, Russ Allbery wrote:
>> Not only do you lose fallback in this case, but you also don't get
>> password change on expired password, unless you patched the code to not
>> require master_kdc in that case as well.
> My test results with current code don't match this claim. I do see a
> bug that the kpasswd_server -> admin_server fallback doesn't work for
> kinit password changes, but the presence or absence of master_kdc
> doesn't seem to have any relevance. (Nor would one expect it to, since
> password changes don't go through a KDC.)
Ah, it looks like it was fixed in 2006:
r18764 | jaltman | 2006-11-06 13:55:13 -0800 (Mon, 06 Nov 2006) | 18 lines
ticket: new
tags: pullup
subject: krb5_get_init_creds_password does not consistently prompt for password changing
krb5_get_init_creds_password() previously did not consistently
handle KRB5KDC_ERR_KEY_EXP errors. If there is a "master_kdc"
entry for the realm and the KDC is reachable, then the function
will prompt the user for a password change. Otherwise, it will
return the error code to the caller. If the caller is a ticket
manager, it will prompt the user for a password change with a
dialog that is different from the one generated by the prompter
function passed to krb5_get_init_creds_password.
With this change krb5_get_init_creds_password() will always
prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
the function is compiled with USE_LOGIN_LIBRARY. (KFM)
Thanks for pointing me at that. I'll update my documentation accordingly.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
