using REQUIRES_PWCHANGE kinit reports expired passwords
Tom Yu
tlyu at MIT.EDU
Thu Oct 9 16:10:19 EDT 2008
"Eduardo A Muñoz" <eagmunoz at gmail.com> writes:
> Hi,
>
> Im working with ubuntu 7.10 clients authenticating against kerberos. The
> issue arises when I a set the REQUIRES_PWCHANGE attribute to a user key so
> that in next login they are required to change the password. Some machines (
> not all ) can't authenticate when the mentioned attribute is set , they
> report
> "kinit(v5): Password has expired while getting initial credentials"
>
> (Of course my password expiration time haven't been reached and it reports
> the same working with policies or without it)
>
> if I a unset the attribute, i can obtain the tickets. Like i said this
> behavior is present in some machines , others can get tickets with the
> attribute set or unset with the same principals.
This seems very strange and inconsisent. Are you sure all the client
machines are talking to the same KDC? REQUIRES_PWCHANGE should always
cause authentication failure except for service principals marked as
password-changing service principals.
More information about the Kerberos
mailing list