password change after expiry

Marcin N nichu at WYTNIJ.onet.pl
Tue Mar 11 03:52:06 EDT 2008


Russ Allbery wrote:
> Marcin Ni�kiewicz <mniskiewicz at o2.pl> writes:
> 
>> When password of any user expires there is a notice during login that
>> "Password expired. You must change it now" but there is no prompt to
>> change it - login procedure simply stops.
>>
>> How should i configure kerberos/pam to have possibility to change
>> expired password after typing valid login informations?
> 
> Which operating system, authentication mechanism, and Kerberos
> implementation are you using?
> 

Oh yeah I forgot to write about it :/

I'm using mit-krb5 on gentoo - it's on clients
server is on debian (krb5-kdc and krb5-admin-server 1.4.4-7etch4) but 
probably will be on solaris

on clients in /etc/pam.d/system-auth i have:
auth  required    pam_env.so
auth  sufficient  pam_unix.so likeauth nullok
auth  sufficient  pam_krb5.so use_first_pass
auth  required    pam_deny.so

account   required      pam_unix.so
account   [default=bad success=ok user_unknown=ignore service_err=ignore 
system_err=ignore] pam_krb5.so

password  required    pam_cracklib.so retry=3 type=
password  sufficient  pam_unix.so nullok use_authtok md5 shadow
password  sufficient  pam_krb5.so use_authtok
password  required    pam_deny.so

session    required     pam_mkhomedir.so  skel=/etc/skel
session   required    pam_limits.so
session   required    pam_unix.so
session   optional    pam_krb5.s


/etc/krb5.conf

[libdefaults]
         default_realm = DOMAIN.COM
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
          proxiable = true


[realms]
          DOMAIN.COM = {
                 admin_server = marcin.domain.com
                 kdc = marcin.domain.com
                 master_kdc = marcin.domain.com
         }

[domain_realm]
         .domain.com = DOMAIN.COM
         domain.com = DOMAIN.COM

[logging]
         default = FILE:/var/log/kerberos




on server
/etc/krb5kdc/kdc.conf
[kdcdefaults]
     kdc_ports = 750,88

[realms]
      DC.TECH = {
         database_name = /var/lib/krb5kdc/principal
         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
         acl_file = /etc/krb5kdc/kadm5.acl
         key_stash_file = /etc/krb5kdc/stash
         kdc_ports = 750,88
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
         supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 
des:normal des:v4 des:norealm des:onlyrealm des:afs3
         default_principal_flags = +preauth
     }


Regards
nichu



More information about the Kerberos mailing list