Kerberos for AD Authentication
Marcus Watts
mdw at umich.edu
Mon Apr 28 19:46:16 EDT 2003
Digant Kasundra <digant at uta.edu> writes:
> Hello folks,
>
> I'm trying to use the kerberos pam module for authenticating a linux machine
> against Active Directory. It works like a charm! But when someone has an
> expired password, it simply says "You must change your password immediately"
> but then still lets them login without changing their password. Is there a
> way to make the module force them to change the password?
Yes.
#1 the pam module should return PAM_NEW_AUTHTOK_REQD
(from pam_sm_acct_mgmt)
#2 the application needs to have code to do the right thing.
(when calling pam_acct_mgmt, check for PAM_NEW_AUTHTOK_REQD,
then perhaps pam_chauthtok(,PAM_CHANGE_EXPIRED_AUTHTOK)
and check for success.)
The k5 pam will need to do extra book-keeping to make this all
work as expected by applications.
#3 good luck making this work with ftpd.
This is with MicroSoft Active Directory is it?
-Marcus Watts
UM ITCS Umich Systems Group
More information about the Kerberos
mailing list