suggestion for locating master kdc logic
rra at stanford.edu
Fri Apr 6 17:11:32 EDT 2012
Greg Hudson <ghudson at MIT.EDU> writes:
> On 04/06/2012 04:09 PM, Russ Allbery wrote:
>> Not only do you lose fallback in this case, but you also don't get
>> password change on expired password, unless you patched the code to not
>> require master_kdc in that case as well.
> My test results with current code don't match this claim. I do see a
> bug that the kpasswd_server -> admin_server fallback doesn't work for
> kinit password changes, but the presence or absence of master_kdc
> doesn't seem to have any relevance. (Nor would one expect it to, since
> password changes don't go through a KDC.)
Ah, it looks like it was fixed in 2006:
r18764 | jaltman | 2006-11-06 13:55:13 -0800 (Mon, 06 Nov 2006) | 18 lines
subject: krb5_get_init_creds_password does not consistently prompt for password changing
krb5_get_init_creds_password() previously did not consistently
handle KRB5KDC_ERR_KEY_EXP errors. If there is a "master_kdc"
entry for the realm and the KDC is reachable, then the function
will prompt the user for a password change. Otherwise, it will
return the error code to the caller. If the caller is a ticket
manager, it will prompt the user for a password change with a
dialog that is different from the one generated by the prompter
function passed to krb5_get_init_creds_password.
With this change krb5_get_init_creds_password() will always
prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
the function is compiled with USE_LOGIN_LIBRARY. (KFM)
Thanks for pointing me at that. I'll update my documentation accordingly.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev