[Freeipa-users] Do expired passwords remain usable indefinitely?
Prasun Gera
prasun.gera at gmail.com
Tue Oct 25 09:50:15 UTC 2016
>
> There appears to be only one case where NAME_EXP is returned: when the
> client.expiration field is passed (not client.pw_expiration)
>
> I think "expiration" must equate to the "principal expiration" in IPA. But
> only regular password expiry would give you the option of changing it.
>
>
Thanks Brian. Can you explain a bit more ? When is principal expiration
triggered ? I haven't set it explicitly for any user, and ipa user-show
doesn't show that attribute either. I'm not very familiar with kerberos.
And as you and David said earlier, if the principal expires, kinit
shouldn't work either, right ?
> Regards,
>
> Brian.
>
> === from src/kdc/kdc_util. c ===
>
> /* The client must not be expired */
> if (client.expiration && client.expiration < kdc_time) {
> *status = "CLIENT EXPIRED";
> if (vague_errors)
> return(KRB_ERR_GENERIC);
> else
> return(KDC_ERR_NAME_EXP);
> }
>
> /* The client's password must not be expired, unless the server is
> a KRB5_KDC_PWCHANGE_SERVICE. */
> if (client.pw_expiration && client.pw_expiration < kdc_time &&
> !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
> *status = "CLIENT KEY EXPIRED";
> if (vague_errors)
> return(KRB_ERR_GENERIC);
> else
> return(KDC_ERR_KEY_EXP);
> }
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161025/25631406/attachment.htm>
More information about the Freeipa-users
mailing list