Kerberos for AD Authentication

Marcus Watts mdw at
Mon Apr 28 19:46:16 EDT 2003

Digant Kasundra <digant at> writes:
> Hello folks,
> I'm trying to use the kerberos pam module for authenticating a linux machine
> against Active Directory.  It works like a charm!  But when someone has an
> expired password, it simply says "You must change your password immediately"
> but then still lets them login without changing their password.  Is there a
> way to make the module force them to change the password?


#1 the pam module should return PAM_NEW_AUTHTOK_REQD
	(from pam_sm_acct_mgmt)

#2 the application needs to have code to do the right thing.
	(when calling pam_acct_mgmt, check for PAM_NEW_AUTHTOK_REQD,
	then perhaps pam_chauthtok(,PAM_CHANGE_EXPIRED_AUTHTOK)
	and check for success.)

	The k5 pam will need to do extra book-keeping to make this all
	work as expected by applications.

#3 good luck making this work with ftpd.

This is with MicroSoft Active Directory is it?

					-Marcus Watts
					UM ITCS Umich Systems Group

More information about the Kerberos mailing list