master_kdc vs krb5_get_init_creds_password vs NetIDMgr

Jeffrey Altman jaltman at
Sun Nov 5 23:12:02 EST 2006

Ken Raeburn wrote:
> On Nov 5, 2006, at 17:59, Jeffrey Altman wrote:
>> When the "master_kdc" value is defined and the password is
>> expired and a prompter function is provided, then
>> krb5_get_init_creds_password will prompt the user to change
>> the password.  If the "master_kdc" value is not defined
>> and the password is expired, then the user is never prompted.
> Maybe that's something we want to change.  After all, in the LDAP case,
> it would make sense for no KDC to be singled out as a "master". 
> Perhaps, if the password is expired, we should always attempt to change it?
> Ken

I spoke with lxs and KFM's Login Library always provides the user
the opportunity to change the password.

I understand why the code is written as it is.  It doesn't want to
confuse the user by attempting to change the password when it is
expired on the slave but not on the master.

The master concept is a good one except that I so rarely see a
krb5.conf/krb5.ini file that actually contains such an entry.
Nor are there very many DNS SRV records for it.

For NetIDMgr I want to be able to turn off the prompting entirely.

For everything else I think the prompting should take place whenever
krb5_get_init_creds_password would return KRB5KDC_ERR_KEY_EXP.
If we come to consensus on this latter change, I will produce a
patch that I would like to see pulled up for the KFW 3.1 release.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list