Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
On 25/10/2016 10:50, Prasun Gera wrote: When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos. It doesn't show it unless it has been set. You can set it like this: # ipa

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Prasun Gera
> > There appears to be only one case where NAME_EXP is returned: when the > client.expiration field is passed (not client.pw_expiration) > > I think "expiration" must equate to the "principal expiration" in IPA. But > only regular password expiry would give you the option of changing it. > >

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
Looking in MIT krb5 source: $ grep -R ERR_NAME_EXP . ./src/include/k5-int.h:#define KDC_ERR_NAME_EXP1 /* Client's entry in DB expired */ ./src/kdc/kdc_util.c:return(KDC_ERR_NAME_EXP); ./src/lib/krb5/error_tables/krb5_err.et:error_code KRB5KDC_ERR_NAME_EXP,

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Prasun Gera
David & Brian, I'm familiar with the usual password expiration message that shows up which forces you to change the password. I've seen that before. However, I didn't see it this time, which is odd. Since I was able to kinit, I reset the password, and it started working again. I don't have an

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
On 25/10/2016 08:29, David Kupka wrote: If I understood Brian correctly he was asking about expiration of NTLM password hashes. Partly. As long as the hash remains in the database and is readable via LDAP, I know it will continue to work for authentication. However I was also asking

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
On 25/10/2016 00:02, Prasun Gera wrote: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread David Kupka
On 25/10/16 01:02, Prasun Gera wrote: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-24 Thread Prasun Gera
I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or the account's expiration. My

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-24 Thread David Kupka
On 21/10/16 15:17, Brian Candler wrote: Question: when a password expires, does it remain in a usable state in the database indefinitely? For example, if someone comes along a year after their password has expired, can they still login once with that password? This is actually what I want, but

[Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-21 Thread Brian Candler
Question: when a password expires, does it remain in a usable state in the database indefinitely? For example, if someone comes along a year after their password has expired, can they still login once with that password? This is actually what I want, but I just want to confirm there's not