Petr Grolmus <[email protected]> writes:
> we are using a farm of 3 WebKDC servers, but we want to change expiring
> passwords just on one of them. The reason is, that in krb5.conf is at
> the first place kadmin server where user changes his password and
> immediately can obtain tickets... Propagation of changes from kadmin
> server to KDC slaves is about 5 minutes. So we are looking for
> appropriate solution.
Well, first off, depending on what Kerberos libraries you use, you may be
able to avoid this problem at a lower level. If you add the master_kdc
option in krb5.conf, as in:
stanford.edu = {
kdc = krb5auth1.stanford.edu:88
kdc = krb5auth2.stanford.edu:88
kdc = krb5auth3.stanford.edu:88
master_kdc = krb5auth1.stanford.edu:88
admin_server = krb5-admin.stanford.edu
kpasswd_server = krb5-admin.stanford.edu
default_domain = stanford.edu
kadmin_port = 749
}
then if the client uses one of the non-master KDCs and gets a bad password
error, it will retry with the master_kdc before failing. This means that
you can mostly ignore the propagation delay to the slaves because the
client will handle attempting authentication with the master. This should
allow you to use all three WebKDCs for changing passwords.
I don't recall if Heimdal has the same behavior.
> We supposed, that set of the $EXPIRING_PW_URL variable in webkdc.conf
> is enough, but it seem it doesn't work as expected or described:
> "The location for the password redirect form, used to redirect users
> with expiring or expired passwords to update those passwords. If this is
> not set, then the check to see if the user's password is expiring soon
> is disabled and expired passwords will result in an error message rather
> than a password change dialog. Default: not set."
> Even if it is set to exact URL on other server, it stays in local
> login.fcgi script and displays pwchange.tmpl. Is it a bug? Or this shoud
> be used in other way in connection with another "EXPIRING" variables?
When you get the confirm page with the expiring password warning at the
top, what does the HTML look like? The standard templates have:
<div class="errortext">
Warning: Your password will expire in
[% expire_time_left FILTER html %], on
[% expire_date FILTER html %]. Please change your password
before this happens.
<form action="[% pwchange_url FILTER html %]"
method="post" target="_blank"
enctype="application/x-www-form-urlencoded">
<input type="hidden" name="rm" value="pwchange">
<input type="hidden" name="skip_username"
value="[% skip_username FILTER html %]">
<input type="hidden" name="username"
value="[% username FILTER html %]">
<input type="hidden" name="CPT"
value="[% CPT FILTER html %]">
<input type="submit" name="Submit"
value="Change Password">
</form>
</div>
The [% pwchange_url FILTER html %] part is what should be replaced with
the $EXPIRING_PW_URL setting. The WebLogin code just sets that form
parameter directly to whatever $EXPIRING_PW_URL is set to.
--
Russ Allbery <[email protected]>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
