kinit always warning about passw expiration

Jeffrey Hutzelman jhutz at cmu.edu
Thu Nov 30 23:56:57 EST 2006



On Monday, November 27, 2006 03:26:25 PM -0200 Andreas Hasenack 
<ahasenack at terra.com.br> wrote:

> When I run MIT's kinit (version 1.4.3 + sec.patch) against a heimdal KDC
> (0.7, backend in ldap, no samba attributes), I always get the password
> expiration warning:
>
> $ kinit
> Password for mary at EXAMPLE.COM:
> Warning: Your password will expire in 364 days on Tue Nov 27 15:17:52 2007
> $
>
> The KDC has this attribute in this user's entry:
> krb5PasswordEnd: 20071127171752Z
>
> If I do the same from heimdal's kinit, I only get the warning if the
> expiration time is in 7 days or less, which is my intention.
>
> I suppose there is some incompatibility in the network protocol
> between the two implementations?

No.  The protocol carries information about when the password is due to 
expire; it's up to the client to decide what to do with this data (of 
course, if the password is expired, the KDC will return an error).

There are two ways in which password expiration data can be carried in the 
Kerberos protocol, both of which are optional.  In one of these cases (the 
use of last-req to carry key or account expiration data), if the data is 
provided, the MIT client code always prints a warning; in the other (the 
key-expiration field), the warning is printed only if the password expires 
within 7 days.

The Heimdal KDC provides a last-req entry for account expriation if the 
principal has an expriation date, and provides an entry for password 
expiration if the password expires within the period specified by the 
kdc_warn_expire option; if the option is not set, this data is always 
provided.

The Heimdal client prints expiration data only if the expiration date is 
within the period specified by the warn_pwexpire config option, which 
defaults to 7 days.


So, this difference is a result of a difference in client behavior, with 
the proviso that as of the version I looked at (possibly fairly old), MIT 
Kerberos does not provide any mechanism for changing the client 
configuration; it always warns about last-req data for password or account 
expiration, and warns about key-expiration only if the expiration date is 
within 7 days.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA




More information about the Kerberos mailing list