Looking in MIT krb5 source:

$ grep -R ERR_NAME_EXP .
./src/include/k5-int.h:#define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */
./src/kdc/kdc_util.c:            return(KDC_ERR_NAME_EXP);
./src/lib/krb5/error_tables/krb5_err.et:error_code KRB5KDC_ERR_NAME_EXP, "Client's entry in database has expired"


There appears to be only one case where NAME_EXP is returned: when the client.expiration field is passed (not client.pw_expiration)

The fields are defined in krb5_db_entry in src/include/kdb.h:

krb5_timestamp expiration; /* When the client expires */ krb5_timestamp pw_expiration; /* When its passwd expires */

I think "expiration" must equate to the "principal expiration" in IPA. But only regular password expiry would give you the option of changing it.

Regards,

Brian.

=== from src/kdc/kdc_util. c ===

    /* The client must not be expired */
    if (client.expiration && client.expiration < kdc_time) {
        *status = "CLIENT EXPIRED";
        if (vague_errors)
            return(KRB_ERR_GENERIC);
        else
            return(KDC_ERR_NAME_EXP);
    }

    /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
    if (client.pw_expiration && client.pw_expiration < kdc_time &&
        !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
        *status = "CLIENT KEY EXPIRED";
        if (vague_errors)
            return(KRB_ERR_GENERIC);
        else
            return(KDC_ERR_KEY_EXP);
    }

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to