using REQUIRES_PWCHANGE kinit reports expired passwords

Tom Yu tlyu at MIT.EDU
Thu Oct 9 16:10:19 EDT 2008


"Eduardo A Muñoz" <eagmunoz at gmail.com> writes:

> Hi,
>
> Im working with ubuntu 7.10 clients authenticating against kerberos. The
> issue arises when I a set the REQUIRES_PWCHANGE attribute to a user key so
> that in next login they are required to change the password. Some machines (
> not all ) can't authenticate when the mentioned attribute is set , they
> report
> "kinit(v5): Password has expired while getting initial credentials"
>
> (Of course my password expiration time haven't been reached and it reports
> the same working with policies or without it)
>
> if I a unset the attribute, i can obtain the tickets. Like i said this
> behavior is present in some machines , others can get tickets with the
> attribute set or unset with the same principals.

This seems very strange and inconsisent.  Are you sure all the client
machines are talking to the same KDC?  REQUIRES_PWCHANGE should always
cause authentication failure except for service principals marked as
password-changing service principals.




More information about the Kerberos mailing list