> On 4/29/07, Ken Hornstein <[EMAIL PROTECTED]> wrote: > > >If I recall correctly, our method for handling the salt correctly for > > >any enctype now involves having the person set a new password > > >when they change their username.
> > If you're going to do this anyway, and assuming you aren't doing > > the right magic to preserve the password history correctly (from what I > > remember, that old code in kadmind didn't do that), then why are you > > adding the code for rename_principal back into kadmind? It sounds > > like you could do everything you are talking about with a delete > > and an add. > We started having users set a new password when they change > their username within the last year. We've been putting the > rename code back in for a lot longer. John would have to say > if we do anything with password history, though I think we > don't. Password history is a moot point for us. Should we care about that at some point, we'll worry about it then. The needing to do a password change is not because of anything in Kerberos itself, it's because we sync our MIT and Windows-AD KDCs and because WebCT Vista's kerberos implementation is a total piece of crap. It doesn't do the enctype or salt stuff right and so it can only auth against a Win-AD KDC (or I'm presuming an MIT KDC setup to use the exact same enctype/salt), and because it doesn't do the salt correctly, anyone who has had a rename can't login to WebCT until they've had a password change. When I finally got somebody at WebCT/Blackboard/whatever to understand how broken their implementation was, they offered to let us pay them to fix it. Umm, No. John _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
