kerberos - Kadmin does not work
Stephen Carville
scarville at lereta.com
Fri Mar 6 15:57:42 EST 2015
I had this problem when I needed to set up a way for users to change or
reset their Kerberos passwords. I didn't want to let most of the users
have shell access to the Linux boxes and I really did not want accounts
with a generic password that never gets changed. That pretty much
eliminated kpasswd.
I ended up writing a CGI application that runs on an internal web server
and connects to the admin server via an ssh session. The ssh session is
configured to start up a small agent program that receives a username
and password then uses kadamin to change or reset the password. The
program runs as a user with only sufficient privileges to set a password
on an existing account and change its expiration time. "ADmciL" in
kadm5.acl
It seemed kind of a clumsy way to do it and the code is not everywhere
pretty. Still, after I hammered out the wrinkles in permissions and ssh
keys, it has worked pretty well.
So it is doable but takes some work.
On 03/04/2015 06:32 PM, arun elango [Masked] wrote:
>
> ---------------------DoNotTrackMe---------------------
> This email is forwarded from a MASKED EMAIL you created using DoNotTrackMe. (https://dnt.abine.com/help).
> IF THIS IS SPAM, CLICK HERE TO BLOCK:
> https://dnt.abine.com/#/block_email/b44261a2@opayq.com/FWD_U0KJAkV1@opayq.com
>
> Want to shop safely and privately online? Go Premium: https://dnt.abine.com/?pk_campaign=maskHeader#premium
> -------------------------by Abine-------------------------
>
>
> Hi Ben,
>
> Thanks.
>
> Yes , Kpasswd can be used . But it requires users interaction in the
> console , I am looking for other methods wherein users dont need to enter
> their passwords in the console. i.e pass the parameters to the kpasswd
> console programatically .
>
> However , I heard from one of the members in the mailing list that it is
> not possible to avoid user interaction. See below for our interaction.
>
> Regards,
> AK
>
>
> arun elango <arunelango89 at gmail.com> writes:
>
>> Is it possible to use kpasswd without user interaction i:e not having
>> user to enter their password in the console.
>
> Oh, that's actually a legitimate cause of that error message. Okay.
>
> It's not possible to use *kpasswd* without user interaction, but it's
> definitely possible to use the underlying call to change a user's password
> without interaction. Look at kadmin, particularly kadmin change_password.
>
> kerberos at mit.edu can help further with that.
>
> On Thu, Mar 5, 2015 at 10:12 AM, Benjamin Kaduk <kaduk at mit.edu> wrote:
>
>> On Wed, 4 Mar 2015, arun elango wrote:
>>
>>> Hi Ben Kaduk,
>>>
>>> Thanks for the information.
>>>
>>> Is there any other method to implement change password other than the
>>> Kpasswd utility for Windows.
>>
>> kpasswd.exe is a way to do it, and the MIT Kerberos.exe ticket manager
>> also provides password-change functionality. I don't know of a different
>> one, offhand.
>>
>> -Ben
>>
>> P.S. any reason to remove the list from the CC? It's generally good to
>> archive questions and answers so that they can be found in the future.
>>
>> -Ben
>>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Stephen Carville
Apprentice Cook and Bottle Washer | LERETA, LLC
1123 Park View Drive | Covina, CA 91724
626-339-5221 X1326
scarville at lereta.com
=================================================
laeti vescimur nos subacturis
=================================================
More information about the Kerberos
mailing list