Request to change MIT Kerberos behavior when principal is expired, deleted or password changed
Nico Williams
nico at cryptonector.com
Thu Mar 6 15:37:54 EST 2014
On Thu, Mar 6, 2014 at 1:31 PM, Edgecombe, Jason <jwedgeco at uncc.edu> wrote:
> Does Heimdal reject requests for expired/disabled accounts as well?
It rejects in these cases:
- the HDB doesn't have an entry for the client principal but should have
- the HDB did have an entry and the client principal was marked locked out
- the HDB did have an entry and the client principal was marked invalid
- the HDB did have an entry and the client principal was marked not a client
- the HDB did have an entry and the client principal's valid_start
(which is only really supported via the LDAP HDB backend)
- the HDB did have an entry and the client principal requires a password change
- the HDB did have an entry and the client principal's password is expired
It'd be trivial to reject requests using tickets predating the last
password change.
Nico
--
More information about the Kerberos
mailing list