On Thu, Nov 12, 2009 at 03:04:29PM -0600, Will Fiveash wrote: > On Wed, Nov 11, 2009 at 06:28:59PM -0600, Nicolas Williams wrote: > > On Wed, Nov 11, 2009 at 04:06:00PM -0800, Gary Winiger wrote: > > > > I think this > > > > is > > > > > Kerberos V5 Account Management Module > > > The Kerberos account management component provides a > > > function to perform account management, pam_sm_acct_mgmt(). > > > This function checks to see if the pam_krb5 authentication > > > module has noted that the user's password has not expired. > > >-------------->This does not apply if the module is using PKINIT > > >-------------->preauthentication. The following options may be passed in > > >-------------->to the Kerberos V5 account management module: > > > > Does not mean that no account authorization happens. It only means that > > when using PKINIT there is no password expiration, for semi-obvious > > reasons (a password wasn't used, and there may not be one). > > If the user's password is expired the KDC will send an error message > whether the user tries PKINIT or password preauth. However a password > is required to for pam_krb5 to verify so password fall back must be > configured if this is a possibility.
I was wrong about the above (I was testing code changes). Even if pam_krb5 is configured to do PKINIT only in the auth stack, if the KDC indicates password expired the pam_krb5 account and password modules will function as they do now. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA
