Request to change MIT Kerberos behavior when principal is expired, deleted or password changed
Chris Hecker
checker at d6.com
Fri Mar 7 17:09:59 EST 2014
[Oops, meant this to go to the list but sent it to Nico.]
This is related to this thread I started a long time ago. I have my KDC
patched to do this, and Greg offered to take the patch, but then the
1.10 KDC rearchitecture thing happened and I haven't updated it yet.
https://www.mail-archive.com/kerberos@mit.edu/msg18021.html
I will eventually update my patch, but if somebody beats me to it,
that'd be cool too.
Chris
On 2014-03-06 12:37, Nico Williams wrote:
> On Thu, Mar 6, 2014 at 1:31 PM, Edgecombe, Jason <jwedgeco at uncc.edu> wrote:
>> Does Heimdal reject requests for expired/disabled accounts as well?
>
> It rejects in these cases:
>
> - the HDB doesn't have an entry for the client principal but should have
> - the HDB did have an entry and the client principal was marked locked out
> - the HDB did have an entry and the client principal was marked invalid
> - the HDB did have an entry and the client principal was marked not a client
> - the HDB did have an entry and the client principal's valid_start
> (which is only really supported via the LDAP HDB backend)
> - the HDB did have an entry and the client principal requires a password change
> - the HDB did have an entry and the client principal's password is expired
>
> It'd be trivial to reject requests using tickets predating the last
> password change.
>
> Nico
> --
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list