kerberos - Kadmin does not work

Stephen Carville scarville at lereta.com
Fri Mar 6 15:57:42 EST 2015


I had this problem when I needed to set up a way for users to change or
reset their Kerberos passwords.  I didn't want to let most of the users
have shell access to the Linux boxes and I really did not want accounts
with a generic password that never gets changed.  That pretty much
eliminated kpasswd.

I ended up writing a CGI application that runs on an internal web server
and connects to the admin server via an ssh session.  The ssh session is
configured to start up a small agent program that receives a username
and password then uses kadamin to change or reset the password.  The
program runs as a user with only sufficient privileges to set a password
on an existing account and change its expiration time.  "ADmciL" in
kadm5.acl

It seemed kind of a clumsy way to do it and the code is not everywhere
pretty.  Still, after I hammered out the wrinkles in permissions and ssh
keys, it has worked pretty well.

So it is doable but takes some work.

On 03/04/2015 06:32 PM, arun elango [Masked] wrote:
> 
> ---------------------DoNotTrackMe---------------------
> This email is forwarded from a MASKED EMAIL you created using DoNotTrackMe.  (https://dnt.abine.com/help).
> IF THIS IS SPAM, CLICK HERE TO BLOCK:
> https://dnt.abine.com/#/block_email/b44261a2@opayq.com/FWD_U0KJAkV1@opayq.com
> 
> Want to shop safely and privately online? Go Premium: https://dnt.abine.com/?pk_campaign=maskHeader#premium
> -------------------------by Abine-------------------------
> 
> 
> Hi Ben,
> 
> Thanks.
> 
> Yes , Kpasswd can be used . But it requires users interaction in the
> console , I am looking for other methods wherein users dont need to enter
> their passwords in the console. i.e pass the parameters to the kpasswd
> console programatically .
> 
> However , I heard from one of the members in the mailing list that it is
> not possible to avoid user interaction. See below for our interaction.
> 
> Regards,
> AK
> 
> 
> arun elango <arunelango89 at gmail.com> writes:
> 
>> Is it possible to use kpasswd without user interaction i:e not having
>> user to enter their password in the console.
> 
> Oh, that's actually a legitimate cause of that error message.  Okay.
> 
> It's not possible to use *kpasswd* without user interaction, but it's
> definitely possible to use the underlying call to change a user's password
> without interaction.  Look at kadmin, particularly kadmin change_password.
> 
> kerberos at mit.edu can help further with that.
> 
> On Thu, Mar 5, 2015 at 10:12 AM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> 
>> On Wed, 4 Mar 2015, arun elango wrote:
>>
>>> Hi Ben Kaduk,
>>>
>>> Thanks for the information.
>>>
>>> Is there any other method to implement change password other than the
>>> Kpasswd utility for Windows.
>>
>> kpasswd.exe is a way to do it, and the MIT Kerberos.exe ticket manager
>> also provides password-change functionality.  I don't know of a different
>> one, offhand.
>>
>> -Ben
>>
>> P.S. any reason to remove the list from the CC?  It's generally good to
>> archive questions and answers so that they can be found in the future.
>>
>> -Ben
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
Stephen Carville
Apprentice Cook and Bottle Washer | LERETA, LLC
1123 Park View Drive | Covina, CA 91724
626-339-5221 X1326
scarville at lereta.com
=================================================
laeti vescimur nos subacturis
=================================================


More information about the Kerberos mailing list