On Monday, November 27, 2006 03:26:25 PM -0200 Andreas Hasenack <[EMAIL PROTECTED]> wrote:
> When I run MIT's kinit (version 1.4.3 + sec.patch) against a heimdal KDC > (0.7, backend in ldap, no samba attributes), I always get the password > expiration warning: > > $ kinit > Password for [EMAIL PROTECTED]: > Warning: Your password will expire in 364 days on Tue Nov 27 15:17:52 2007 > $ > > The KDC has this attribute in this user's entry: > krb5PasswordEnd: 20071127171752Z > > If I do the same from heimdal's kinit, I only get the warning if the > expiration time is in 7 days or less, which is my intention. > > I suppose there is some incompatibility in the network protocol > between the two implementations? No. The protocol carries information about when the password is due to expire; it's up to the client to decide what to do with this data (of course, if the password is expired, the KDC will return an error). There are two ways in which password expiration data can be carried in the Kerberos protocol, both of which are optional. In one of these cases (the use of last-req to carry key or account expiration data), if the data is provided, the MIT client code always prints a warning; in the other (the key-expiration field), the warning is printed only if the password expires within 7 days. The Heimdal KDC provides a last-req entry for account expriation if the principal has an expriation date, and provides an entry for password expiration if the password expires within the period specified by the kdc_warn_expire option; if the option is not set, this data is always provided. The Heimdal client prints expiration data only if the expiration date is within the period specified by the warn_pwexpire config option, which defaults to 7 days. So, this difference is a result of a difference in client behavior, with the proviso that as of the version I looked at (possibly fairly old), MIT Kerberos does not provide any mechanism for changing the client configuration; it always warns about last-req data for password or account expiration, and warns about key-expiration only if the expiration date is within 7 days. -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos