Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

password expiration not prompting - solaris 10

20 views

Skip to first unread message

CT

unread,

Nov 25, 2009, 1:48:17 PM11/25/09

to kerb...@mit.edu

Hi,

Having an issue where when an account password has expired it doesn't
prompt user to change it and lets user login. It does show a message
saying the it has expired.
Running Solaris 10 client authenticating to AD kerberos. Does anyone
know how I can configure pam/kerberos to prompt ?

Thanks.

Russ Allbery

unread,

Nov 25, 2009, 8:55:57 PM11/25/09

to CT, kerb...@mit.edu

CT <cal...@gmail.com> writes:

> Having an issue where when an account password has expired it doesn't
> prompt user to change it and lets user login. It does show a message
> saying the it has expired.

Sun intentionally disables the normal Kerberos library support for
changing passwords when authenticating with expired passwords. I'm not
sure why they chose to do that.

If you're running into this in the PAM context, you can work around this
by using a PAM module and an application that supports the fully correct
PAM method of handling expired accounts (return success from auth and then
indicate a password change is needed in the account stack), or you can use
a PAM module that detects and works around this case by doing the password
change prompting itself in the auth stack (my pam-krb5 with force_pwchange
set in the options, for instance).

--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>

0 new messages