[31724] in Kerberos
Re: password expiration not prompting - solaris 10
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Nov 25 20:56:22 2009
From: Russ Allbery <rra@stanford.edu>
To: CT <caltri@gmail.com>
In-Reply-To: <dc9bb4ce0911251048yaeb1053u15429f26bf5ff8f3@mail.gmail.com>
(CT's message of "Wed, 25 Nov 2009 10:48:17 -0800")
Date: Wed, 25 Nov 2009 17:55:57 -0800
Message-ID: <87aayaoxqq.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
CT <caltri@gmail.com> writes:
> Having an issue where when an account password has expired it doesn't
> prompt user to change it and lets user login. It does show a message
> saying the it has expired.
Sun intentionally disables the normal Kerberos library support for
changing passwords when authenticating with expired passwords. I'm not
sure why they chose to do that.
If you're running into this in the PAM context, you can work around this
by using a PAM module and an application that supports the fully correct
PAM method of handling expired accounts (return success from auth and then
indicate a password change is needed in the account stack), or you can use
a PAM module that detects and works around this case by doing the password
change prompting itself in the auth stack (my pam-krb5 with force_pwchange
set in the options, for instance).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
