Adding a krb5_get_change_password_message() function?

Stef Walter stefw at
Wed Apr 25 07:43:49 EDT 2012

The data returned by krb5_change_password() in its *result_string
argument is sometimes a utf-8 string, and sometimes a data structure.

In particular, AD returns the following structure (also seen in
winbind). Looks like even though MS wrote the RFC on kerberos change
password, they don't follow it :(

PolicyInfo { /* all in network byte order */
        uint16 zero_bytes; /* so that structure is not read as string */
	uint32 min_length_password;
	uint32 password_history;
	uint32 password_properties; /* see defines below */
	uint64 expire; /* in seconds * 10,000,000 */
	uint64 min_passwordage; /* in seconds * 10,000,000 */

#define PASSWORD_COMPLEX		0x00000001
#define PASSWORD_NO_ANON_CHANGE	0x00000002
#define PASSWORD_NO_CLEAR_CHANGE	0x00000004
#define PASSWORD_LOCKOUT_ADMINS	0x00000008
#define REFUSE_PASSWORD_CHANGE	0x00000020

I was wondering if we want to add a krb5_get_change_password_message()
which changes the result_string returned from krb5_change_password()
into a displayable message explaining to the user more info about the
password rejection and policy requirements?

If it is already utf-8 data, then krb5_get_change_password_message()
would null-terminate it correctly and return it. If it's another
structure that we recognize, krb5_get_change_password_message() could
format a useful message from it.

WDYT? It seems krb5 has lots of other interop stuff. Would this fit in
as well?



More information about the krbdev mailing list