>> I believe the _client_ support for this has been cleaned up and should >> be better in MIT Kerberos 1.3, when it comes out (I don't know when that >> will be). So that is at least one important piece of the puzzle. > >Ok -- is the 1.3 CVS worth installing at this point?
I'm not a fan of using pre-release software in production, so I wouldn't know. Note that changes still need to be added to the KDC to make it work properly. >> > o If the pamified program ignores or improperly implements >> > the pam conversation function once the password has expired, >> > the user gets logged in, the the password expiration time is >> > cleared (!!) from the KDC. I've seen this with sshd & kdm. >> >> It gets _cleared_? How could that happen ... the password expiration time >> should only be cleared by a password change? > >*shrug* I haven't gone through all the code with gdb, but it's happened with >two apps. I'll see if I can track down where it is. > >Your reaction is the same as mine was, believe me. You might want to check the kadmind logs to see if there is a password change happening in there; you might be getting bitten by an errant PAM module. I can't really think of another explanation. --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
