password change after expiry
Marcin N
nichu at WYTNIJ.onet.pl
Tue Mar 11 03:52:06 EDT 2008
Russ Allbery wrote:
> Marcin Ni�kiewicz <mniskiewicz at o2.pl> writes:
>
>> When password of any user expires there is a notice during login that
>> "Password expired. You must change it now" but there is no prompt to
>> change it - login procedure simply stops.
>>
>> How should i configure kerberos/pam to have possibility to change
>> expired password after typing valid login informations?
>
> Which operating system, authentication mechanism, and Kerberos
> implementation are you using?
>
Oh yeah I forgot to write about it :/
I'm using mit-krb5 on gentoo - it's on clients
server is on debian (krb5-kdc and krb5-admin-server 1.4.4-7etch4) but
probably will be on solaris
on clients in /etc/pam.d/system-auth i have:
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] pam_krb5.so
password required pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.s
/etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
DOMAIN.COM = {
admin_server = marcin.domain.com
kdc = marcin.domain.com
master_kdc = marcin.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[logging]
default = FILE:/var/log/kerberos
on server
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
DC.TECH = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Regards
nichu
More information about the Kerberos
mailing list