Kerberos for AD Authentication

Marcus Watts mdw at umich.edu
Mon Apr 28 19:46:16 EDT 2003


Digant Kasundra <digant at uta.edu> writes:
> Hello folks,
>  
> I'm trying to use the kerberos pam module for authenticating a linux machine
> against Active Directory.  It works like a charm!  But when someone has an
> expired password, it simply says "You must change your password immediately"
> but then still lets them login without changing their password.  Is there a
> way to make the module force them to change the password?

Yes.

#1 the pam module should return PAM_NEW_AUTHTOK_REQD
	(from pam_sm_acct_mgmt)

#2 the application needs to have code to do the right thing.
	(when calling pam_acct_mgmt, check for PAM_NEW_AUTHTOK_REQD,
	then perhaps pam_chauthtok(,PAM_CHANGE_EXPIRED_AUTHTOK)
	and check for success.)

	The k5 pam will need to do extra book-keeping to make this all
	work as expected by applications.

#3 good luck making this work with ftpd.

This is with MicroSoft Active Directory is it?

					-Marcus Watts
					UM ITCS Umich Systems Group


More information about the Kerberos mailing list