> > There appears to be only one case where NAME_EXP is returned: when the > client.expiration field is passed (not client.pw_expiration) > > I think "expiration" must equate to the "principal expiration" in IPA. But > only regular password expiry would give you the option of changing it. > > Thanks Brian. Can you explain a bit more ? When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos. And as you and David said earlier, if the principal expires, kinit shouldn't work either, right ?
> Regards, > > Brian. > > === from src/kdc/kdc_util. c === > > /* The client must not be expired */ > if (client.expiration && client.expiration < kdc_time) { > *status = "CLIENT EXPIRED"; > if (vague_errors) > return(KRB_ERR_GENERIC); > else > return(KDC_ERR_NAME_EXP); > } > > /* The client's password must not be expired, unless the server is > a KRB5_KDC_PWCHANGE_SERVICE. */ > if (client.pw_expiration && client.pw_expiration < kdc_time && > !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { > *status = "CLIENT KEY EXPIRED"; > if (vague_errors) > return(KRB_ERR_GENERIC); > else > return(KDC_ERR_KEY_EXP); > } >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project