[Oops, meant this to go to the list but sent it to Nico.] This is related to this thread I started a long time ago. I have my KDC patched to do this, and Greg offered to take the patch, but then the 1.10 KDC rearchitecture thing happened and I haven't updated it yet.
https://www.mail-archive.com/kerberos@mit.edu/msg18021.html I will eventually update my patch, but if somebody beats me to it, that'd be cool too. Chris On 2014-03-06 12:37, Nico Williams wrote: > On Thu, Mar 6, 2014 at 1:31 PM, Edgecombe, Jason <jwedg...@uncc.edu> wrote: >> Does Heimdal reject requests for expired/disabled accounts as well? > > It rejects in these cases: > > - the HDB doesn't have an entry for the client principal but should have > - the HDB did have an entry and the client principal was marked locked out > - the HDB did have an entry and the client principal was marked invalid > - the HDB did have an entry and the client principal was marked not a client > - the HDB did have an entry and the client principal's valid_start > (which is only really supported via the LDAP HDB backend) > - the HDB did have an entry and the client principal requires a password > change > - the HDB did have an entry and the client principal's password is expired > > It'd be trivial to reject requests using tickets predating the last > password change. > > Nico > -- > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos