Account unlocking and kadmin

Greg Hudson ghudson at mit.edu
Sat Nov 7 12:12:00 EST 2015


On 11/07/2015 12:00 PM, John Devitofranceschi wrote:
> Might it be the case that administrative account unlocking using kadmin (modprinc -unlock princname) will fail in some cases if the version of kadmin is not sufficiently modern?
> 
> For example, kadmin from 1.8.2 can be used to a unlock a principal on a 1.13.2 master, but not when the principal is locked on one of the slaves (when propagating from the master).
> 
> When a 1.13.2 kadmin is used, "modprinc -unlock” works for the master and the slaves.

Yes, the client participates in setting the last-administrative-unlock
timestamp during an unlock, and that code was added in 1.9.


More information about the Kerberos mailing list