Password Expiration notifications

John Hascall john at iastate.edu
Thu Apr 6 12:25:31 EDT 2006 

> Based on some excellent suggestions, I have started pursuing parsing the
> dump file (produced by "kdb5_util dump").  I think I have figured out
> most of the columns.  Could someone point me to a (preferably non source
> code) reference describing the dump format?  I now have a need to
> retrieve the "Password Last Changed" value, and am having difficulty
> determining which column this is.

The dump format has changed about a zillion times.
The top line of the file will tell you which it is.
For example:
   kdb5_util load_dump version 5
And then, the only documentation I am aware of (please somebody
correct me) is src/kadmin/dbutil/dump.c

In my case, looking in the proper dump formatting routine I
find there is a comment there that says:

        /*
         * The dump format is as follows:
         *      len strlen(name) n_tl_data n_key_data e_length
         *      name
         *      attributes max_life max_renewable_life expiration
         *      pw_expiration last_success last_failed fail_auth_count
         *      n_tl_data*[type length <contents>]
         *      n_key_data*[ver kvno ver*(type length <contents>)]
         *      <e_data>
         * Fields which are not encapsulated by angle-brackets are to appear
         * verbatim.  Bracketed fields absence is indicated by a -1 in its
         * place
         */

So for my dump file:
princ   38      20      3       1       0       janeuser at IASTATE.EDU    0
2592000 2592000 0       1134953860      1134953740      0       0       3
28      12345c01000000046578700000000800000000000000000200000000        2
24      0c05a6436b61646d696e6440494153544154452e45445500        1       4
0c05a643        2       82      1       26
0000000000000000000000000000000000000000000000000000    1       0       -1      -1;

The value is 1134953860 (12th column).

John


> Thank you,
> -Matt
> 
> Matthew J. Smith wrote:
> > Hello all,
> > 
> >   I am using MIT Krb5 1.4.3, and am looking to send an email
> > notification to my users 14 days before their passwords expire.  I have
> > cobbled together a Proof-of-Concept using kadmin -q "getprinc -terse" to
> > scrape the password expiration date from each principal.  The PoC works,
> > but seems "inefficient", requiring a getprinc to the KDC for each princ
> > returned by listprincs.  Is there a better way?  Is there a way to query
> > the KDC for a list of users whose password is about to expire?  Or at
> > least, is there a kadm5_get_principals call that will return an array of
> > principal structures (instead of just a string[] of names), which I can
> > just iterate over locally, looking at expiration timestamps?
> > 
> > Thank you for any insight you can offer,
> > -Matt
> > 
> > ---
> > matt.smith at uconn.edu
> > University of Connecticut ITS
> > 	
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list