Password Expiration notifications

James J. Barlow jbarlow at ncsa.uiuc.edu
Tue Apr 4 15:34:56 EDT 2006 

On Tue, Apr 04, 2006 at 09:44:45AM -0400, Matthew J. Smith wrote:
> Thank you for the responses so far.  I've received a few suggestions
> that I use the dump file to gather my information, and I may go down
> that road.  However, I am still interested if anyone has implemented
> anything using the kadmin protocol, so that the code does not need any
> local access to the KDC.  Any comments?

We have a script here that we have been using for the last couple years
to do this very thing.  It uses kadmin.local to grab a list of the principals,
then does a getprinc for each of them (ignoring the principals we don't
want such as host/, cross-realm, etc.).  Then it parses the getprinc
output and determines who needs to get a warning, who needs to be expired,
etc.  So in theory, the same thing would work remotely, except that if
you wanted an automated process, the admin password would need to
be stored somewhere (script or keytab), which may be questionable.
Any reason you wouldn't want to run it on a KDC?  No problem automating
it there, and you wouldn't need to have an admin password laying around
(or if you did it's not that big of an issue since all other principal
keys on on the machine anyway :).

Also, recently we started dumping the principal database into a MySQL
database nightly (just user info, not the keys :).  We can now track
any changes done to all principals over time.  Users and admins can also
look at their (or others) principal information on a web page (based on
the access permissions they have).


> Matthew J. Smith wrote:
> > Hello all,
> > 
> >   I am using MIT Krb5 1.4.3, and am looking to send an email
> > notification to my users 14 days before their passwords expire.  I have
> > cobbled together a Proof-of-Concept using kadmin -q "getprinc -terse" to
> > scrape the password expiration date from each principal.  The PoC works,
> > but seems "inefficient", requiring a getprinc to the KDC for each princ
> > returned by listprincs.  Is there a better way?  Is there a way to query
> > the KDC for a list of users whose password is about to expire?  Or at
> > least, is there a kadm5_get_principals call that will return an array of
> > principal structures (instead of just a string[] of names), which I can
> > just iterate over locally, looking at expiration timestamps?
> > 
> > Thank you for any insight you can offer,
> > -Matt
> > 
> > ---
> > matt.smith at uconn.edu
> > University of Connecticut ITS
> > 	
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
James J. Barlow   <jbarlow at ncsa.uiuc.edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications    Voice : (217)244-6403
1205 West Clark Street, Urbana, IL  61801           Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow                    Fax : (217)244-1987

More information about the Kerberos mailing list