On 25/10/2016 10:50, Prasun Gera wrote:
When is principal expiration triggered ? I haven't set it explicitly
for any user, and ipa user-show doesn't show that attribute either.
I'm not very familiar with kerberos.
It doesn't show it unless it has been set. You can set it like this:
# ipa
>
> There appears to be only one case where NAME_EXP is returned: when the
> client.expiration field is passed (not client.pw_expiration)
>
> I think "expiration" must equate to the "principal expiration" in IPA. But
> only regular password expiry would give you the option of changing it.
>
>
Looking in MIT krb5 source:
$ grep -R ERR_NAME_EXP .
./src/include/k5-int.h:#define KDC_ERR_NAME_EXP1 /*
Client's entry in DB expired */
./src/kdc/kdc_util.c:return(KDC_ERR_NAME_EXP);
./src/lib/krb5/error_tables/krb5_err.et:error_code
KRB5KDC_ERR_NAME_EXP,
David & Brian,
I'm familiar with the usual password expiration message that shows up which
forces you to change the password. I've seen that before. However, I didn't
see it this time, which is odd. Since I was able to kinit, I reset the
password, and it started working again. I don't have an
On 25/10/2016 08:29, David Kupka wrote:
If I understood Brian correctly he was asking about expiration of NTLM
password hashes.
Partly.
As long as the hash remains in the database and is readable via LDAP, I
know it will continue to work for authentication. However I was also
asking
On 25/10/2016 00:02, Prasun Gera wrote:
I've seen some different behaviour. I've had errors for users
(including the admin user) trying to log in with possibly an expired
password. Both webui and ssh would fail, but kinit would work. I'm not
sure if this is related to the password's expiration
On 25/10/16 01:02, Prasun Gera wrote:
I've seen some different behaviour. I've had errors for users (including
the admin user) trying to log in with possibly an expired password. Both
webui and ssh would fail, but kinit would work. I'm not sure if this is
related to the password's expiration or
I've seen some different behaviour. I've had errors for users (including
the admin user) trying to log in with possibly an expired password. Both
webui and ssh would fail, but kinit would work. I'm not sure if this is
related to the password's expiration or the account's expiration. My
On 21/10/16 15:17, Brian Candler wrote:
Question: when a password expires, does it remain in a usable state in
the database indefinitely? For example, if someone comes along a year
after their password has expired, can they still login once with that
password?
This is actually what I want, but
Question: when a password expires, does it remain in a usable state in
the database indefinitely? For example, if someone comes along a year
after their password has expired, can they still login once with that
password?
This is actually what I want, but I just want to confirm there's not
10 matches
Mail list logo