[EMAIL PROTECTED] (Nicolas Williams) writes: > Oh, yes, IIRC there was a bug in krb5_gic_pwd() that prevented the > "Password will expire in X [time]" warning from ever being prompted. > > I forget the details, but I can dig it up - IIRC it was pretty obvious.
The one I reported can be found at: http://mailman.mit.edu/pipermail/krb5-bugs/2002-February/000012.html I was tempted to rewrite that entire if, but was trying to keep the patches minimal. However, there's also the issue of the meaning of key_exp field which you've alluded to. The MIT KDC sets key_exp to the *principal* expiration time, not the password expiration, so the prompter still won't trigger on password expiration. We patch our kdc thusly: --- kdc/do_as_req.c Thu Oct 25 15:27:09 2001 +++ ../../krb5/kdc/do_as_req.c Fri Dec 21 14:12:21 2001 @@ -374,7 +374,7 @@ goto errout; } reply_encpart.nonce = request->nonce; - reply_encpart.key_exp = client.expiration; + reply_encpart.key_exp = client.pw_expiration; reply_encpart.flags = enc_tkt_reply.flags; reply_encpart.server = ticket_reply.server; -- "The mere tendency of speech to encourage unlawful acts is not a sufficient reason for banning it. [...] The right to think is the beginning of freedom, and speech must be protected from the government because speech is the beginning of thought." --Anthony Kennedy ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
