CT <[email protected]> writes: > Having an issue where when an account password has expired it doesn't > prompt user to change it and lets user login. It does show a message > saying the it has expired.
Sun intentionally disables the normal Kerberos library support for changing passwords when authenticating with expired passwords. I'm not sure why they chose to do that. If you're running into this in the PAM context, you can work around this by using a PAM module and an application that supports the fully correct PAM method of handling expired accounts (return success from auth and then indicate a password change is needed in the account stack), or you can use a PAM module that detects and works around this case by doing the password change prompting itself in the auth stack (my pam-krb5 with force_pwchange set in the options, for instance). -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
