On Tue, Apr 04, 2006 at 09:44:45AM -0400, Matthew J. Smith wrote: > Thank you for the responses so far. I've received a few suggestions > that I use the dump file to gather my information, and I may go down > that road. However, I am still interested if anyone has implemented > anything using the kadmin protocol, so that the code does not need any > local access to the KDC. Any comments?
We have a script here that we have been using for the last couple years to do this very thing. It uses kadmin.local to grab a list of the principals, then does a getprinc for each of them (ignoring the principals we don't want such as host/, cross-realm, etc.). Then it parses the getprinc output and determines who needs to get a warning, who needs to be expired, etc. So in theory, the same thing would work remotely, except that if you wanted an automated process, the admin password would need to be stored somewhere (script or keytab), which may be questionable. Any reason you wouldn't want to run it on a KDC? No problem automating it there, and you wouldn't need to have an admin password laying around (or if you did it's not that big of an issue since all other principal keys on on the machine anyway :). Also, recently we started dumping the principal database into a MySQL database nightly (just user info, not the keys :). We can now track any changes done to all principals over time. Users and admins can also look at their (or others) principal information on a web page (based on the access permissions they have). > Matthew J. Smith wrote: > > Hello all, > > > > I am using MIT Krb5 1.4.3, and am looking to send an email > > notification to my users 14 days before their passwords expire. I have > > cobbled together a Proof-of-Concept using kadmin -q "getprinc -terse" to > > scrape the password expiration date from each principal. The PoC works, > > but seems "inefficient", requiring a getprinc to the KDC for each princ > > returned by listprincs. Is there a better way? Is there a way to query > > the KDC for a list of users whose password is about to expire? Or at > > least, is there a kadm5_get_principals call that will return an array of > > principal structures (instead of just a string[] of names), which I can > > just iterate over locally, looking at expiration timestamps? > > > > Thank you for any insight you can offer, > > -Matt > > > > --- > > [EMAIL PROTECTED] > > University of Connecticut ITS > > > > > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- James J. Barlow <[EMAIL PROTECTED]> Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos