Jason Edgecombe <[email protected]> writes: > On Linux & windows, how are users notified that their password is about > to expire?
Kerberos supports, in the protocol, a field in the Kerberos KDC reply saying when the keys for the principal (aka the password) will expire (and when the principal will expire if the whole principal has an expiration date set). I believe both MIT Kerberos and Active Directory set it and Heimdal doesn't, although I'm not positive about the last. With MIT Kerberos, the client is then supposed to call krb5_get_init_creds_opt_set_expire_callback to set a callback that will receive the password and account expiration times along with some other information. I believe that the MIT kinit implementation does this. My PAM module and k5start do *not* do this (because I only found out about this facility in the last month). It looks like Heimdal handles the password expiration display internally (configured with warn_pwexpire) rather than exposing a callback to the client of the library, which means that you always get the warning if you configure a prompter (which PAM and k5start do), but you don't have application control over it. I'm not sure if MIT displays the expiration warning by default if no callback is set. (I'd check, but I'm feeling lazy at the moment.) > How can you do this on windows when the passwords in a different realm > with cross-realm trust? (i.e. windows is part of an AD domain that > trusts our MIT KDC). All of the above should work through cross-realm scenarios. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
