Account unlocking and kadmin
Greg Hudson
ghudson at mit.edu
Sat Nov 7 12:12:00 EST 2015
On 11/07/2015 12:00 PM, John Devitofranceschi wrote:
> Might it be the case that administrative account unlocking using kadmin (modprinc -unlock princname) will fail in some cases if the version of kadmin is not sufficiently modern?
>
> For example, kadmin from 1.8.2 can be used to a unlock a principal on a 1.13.2 master, but not when the principal is locked on one of the slaves (when propagating from the master).
>
> When a 1.13.2 kadmin is used, "modprinc -unlock” works for the master and the slaves.
Yes, the client participates in setting the last-administrative-unlock
timestamp during an unlock, and that code was added in 1.9.
More information about the Kerberos
mailing list