Re: How to expire passwords for Kerberos user accounts

I believe there is an error in the commands you have given out. If you use the -expire switch it sets an expiry date on the principal itself and not the principal PW. I believe the switch you need is -pwexpire. Correct me if I am wrong, but I tested with my KDC’s and confirmed. William

Re: kadmin.local no logging

I figured this was the case as I have been unable to find logs of admin.local operations. Thanks for the replies. William Clark On Jul 12, 2015, at 1:47 PM, Greg Hudson ghud...@mit.edu wrote: On 07/10/2015 05:09 PM, William Clark wrote: Noticed today while doing some operations

kadmin.local no logging

= SYSLOG:INFO:AUTH kdc = FILE:/var/log/krb5kdc.log admin_server = SYSLOG:INFO:AUTH admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log William Clark Kerberos mailing list Kerberos@mit.edu https

Re: Adding higher grade crypto to existing KDC servers while maintaining weak

their passwords to get the new keys added to their principals. Along with a change to their krb5.conf or edu.it.Kerberos to support the encryption types, this was this was enough to support OS X Yosemite. William Clark On Oct 19, 2014, at 6:50 PM, Benjamin Kaduk ka...@mit.edu wrote: Hi William

Adding higher grade crypto to existing KDC servers while maintaining weak

. But this will be a major undertaking just to issue the new keytabs alone. William Clark Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: The mysterious death of kprop when running incremental propagtion

, this seems to work for my particular load profile. Thank you Jeremy and Greg for your help in guiding me along with this. Cheers! William Clark On Apr 3, 2014, at 12:54 AM, Jeremy Hunt jere...@optimation.com.au wrote: Hi William, Of course for option 2, the reads of the dumped database probably

Re: The mysterious death of kprop when running incremental propagtion

and incremental propagation is desired. Again thank you both for taking the time to explore this with me! William Clark On Apr 3, 2014, at 12:54 AM, Jeremy Hunt jere...@optimation.com.au wrote: Hi William, Of course for option 2, the reads of the dumped database probably need no locks so you

Re: The mysterious death of kprop when running incremental propagtion

would be helpful. William Clark On Mar 31, 2014, at 8:34 PM, Greg Hudson ghud...@mit.edu wrote: On 03/31/2014 05:44 PM, William Clark wrote: Running the following from CentOS upstream: krb5-server-1.10.3-10.el6_4.6.x86_64 I am not adverse to going with the latest stable MIT version

The mysterious death of kprop when running incremental propagtion

if the principal DB is getting locked, and if this is causing kprop/kadmin to get in a very funny state. Is this even a viable concern? Need some help on this before I am forced to go back to old propagation methods. William Clark Kerberos mailing list

Managing policies in a multi KDC environment?

policy support, however since I have 10 KDC's, for me to enforce a 5 password errors to lockout type policy would be the same as giving the user 50 attempts if they craft them right. Does MIT or anyone else have a project to allow use of policies in multi KDC environments like this? William Clark

Re: Combined database propagation environment possible (Traditional and Incremental kprop)?

I think I came to the conclusion in testing that the only way to do this is Alternate Plan A. When you turn on kiprop, it disables the ability to traditionally push and install a principal DB. William Clark On Sep 26, 2013, at 2:07 PM, William Clark majorgearh...@gmail.com wrote

Combined database propagation environment possible (Traditional and Incremental kprop)?

, but it is necessary for me to bring our large infrastructure to modern hosts and version of Kerberos. Any help would be greatly appreciated! William Clark Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos