Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

[Brian Candler]

Looking in MIT krb5 source:

$ grep -R ERR_NAME_EXP .
./src/include/k5-int.h:#define KDC_ERR_NAME_EXP                1 /* 
Client's entry in DB expired */
./src/kdc/kdc_util.c:            return(KDC_ERR_NAME_EXP);
./src/lib/krb5/error_tables/krb5_err.et:error_code 
KRB5KDC_ERR_NAME_EXP,    "Client's entry in database has expired"

There appears to be only one case where NAME_EXP is returned: when the 
client.expiration field is passed (not client.pw_expiration)

The fields are defined in krb5_db_entry in src/include/kdb.h:

    krb5_timestamp        expiration;           /* When the client 
expires */
    krb5_timestamp        pw_expiration;        /* When its passwd 
expires */

I think "expiration" must equate to the "principal expiration" in IPA. 
But only regular password expiry would give you the option of changing it.

Regards,

Brian.

=== from src/kdc/kdc_util. c ===

    /* The client must not be expired */
    if (client.expiration && client.expiration < kdc_time) {
        *status = "CLIENT EXPIRED";
        if (vague_errors)
            return(KRB_ERR_GENERIC);
        else
            return(KDC_ERR_NAME_EXP);
    }

    /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
    if (client.pw_expiration && client.pw_expiration < kdc_time &&
        !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
        *status = "CLIENT KEY EXPIRED";
        if (vague_errors)
            return(KRB_ERR_GENERIC);
        else
            return(KDC_ERR_KEY_EXP);
    }

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project