kinit always warning about passw expiration
Jeffrey Hutzelman
jhutz at cmu.edu
Thu Nov 30 23:56:57 EST 2006
On Monday, November 27, 2006 03:26:25 PM -0200 Andreas Hasenack
<ahasenack at terra.com.br> wrote:
> When I run MIT's kinit (version 1.4.3 + sec.patch) against a heimdal KDC
> (0.7, backend in ldap, no samba attributes), I always get the password
> expiration warning:
>
> $ kinit
> Password for mary at EXAMPLE.COM:
> Warning: Your password will expire in 364 days on Tue Nov 27 15:17:52 2007
> $
>
> The KDC has this attribute in this user's entry:
> krb5PasswordEnd: 20071127171752Z
>
> If I do the same from heimdal's kinit, I only get the warning if the
> expiration time is in 7 days or less, which is my intention.
>
> I suppose there is some incompatibility in the network protocol
> between the two implementations?
No. The protocol carries information about when the password is due to
expire; it's up to the client to decide what to do with this data (of
course, if the password is expired, the KDC will return an error).
There are two ways in which password expiration data can be carried in the
Kerberos protocol, both of which are optional. In one of these cases (the
use of last-req to carry key or account expiration data), if the data is
provided, the MIT client code always prints a warning; in the other (the
key-expiration field), the warning is printed only if the password expires
within 7 days.
The Heimdal KDC provides a last-req entry for account expriation if the
principal has an expriation date, and provides an entry for password
expiration if the password expires within the period specified by the
kdc_warn_expire option; if the option is not set, this data is always
provided.
The Heimdal client prints expiration data only if the expiration date is
within the period specified by the warn_pwexpire config option, which
defaults to 7 days.
So, this difference is a result of a difference in client behavior, with
the proviso that as of the version I looked at (possibly fairly old), MIT
Kerberos does not provide any mechanism for changing the client
configuration; it always warns about last-req data for password or account
expiration, and warns about key-expiration only if the expiration date is
within 7 days.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list