confusion in ank.
Russ Allbery
rra at stanford.edu
Mon Apr 16 13:03:39 EDT 2007
Vipin Rathor <v.rathor at gmail.com> writes:
> While I was playing with kerberos, I came across this issue.
> I created a principal 'bug' with the ank command like this:
> kadmin: ank -pwexpire "5/5/2007 12:0:0 GMT" -randkey bug
> ; it successfully created the principal but when I tried to see
> this entry it is showing me
> ....
> Password expiration date: [none]
> ....
> My questions:
> 1. Is this an expected behavior?
> 2. Is this happening because of '-randkey'? (since not specifying -randkey
> gave proper Password expiration date.)
It probably is happening because of -randkey, although I think that's a
bug.
-randkey is implemented under the hood by creating a disabled account with
a fixed password, changing its password to a random password, and then
enabling the account. I bet that the password expiration is applied to
the initial account creation and then cleared immediately by the password
change to the random password.
(This is why, when you create an account with -randkey, it immediately
ends up with a kvno of 2 instead of 1.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list