Andreas Ntaflos <[email protected]> writes: > I would have thought that the following command does what I want:
> kadmin.local -q "addprinc +needchange +requires_preauth \ > -pwexpire '15 minutes' -pw secret foobar" > If I understand correctly this adds a new principal foobar with password > "secret" that should expire in 15 minutes and needs to change the > password on the next kinit call. The "requires_preauth" seems to be set > by the default policy and needs to be there, otherwise the principal > cannot be authenticated. > Unfortunately the user can still log in (and is prompted to change his > password by the system) even after the temporary password is past its > expiration date. > Why so? Does "+needchange" take precedence over any password expiration > date? No, password expiration dates don't mean what you think they mean. A password expiration date is the date after which the user is forced to change their password. It doesn't disable the principal entirely. An expired password configured via -pwexpire is exactly equivalent to marking the account with +needschange, so far as I can determine, except that +needschange is cleared completely on the next password change but -pwexpire dates are pushed out by the password expiration time from the password policy. I don't think there's a way to do what you want entirely automatically. You can set an expiration on the *principal*, but that isn't cleared automatically on password change; you'll need some process to go back and clear those expirations if the user changed their password. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
