Re: password expiry for a principal
>>>>> "Russ" == Russ Allbery <email@example.com> writes:
Russ> Coy Hile <firstname.lastname@example.org> writes:[color=blue][color=green]
>> kadmin: modprinc +needchange cah220
>> Principal "cah220@COYHILE.COM" modified.
>> kadmin: quit
>> [22:53:31]supergrover:~ % kinit cah220
>> kinit(v5): Password has expired while getting initial credentials
>> [22:53:37]supergrover:~ %
>> For what it's worth, I'm using an MIT kdc (actually SEAM).[/color][/color]
Russ> I don't believe kinit supports prompting for password changes, but you can
Russ> still use kpasswd when the principal is marked +needchange. A good PAM
Russ> module should currently handle this case and prompt the user to change
Russ> their password.
A modern kinit program that uses the get_init_creds API will prompt
for a password change if the password has expired. I don't know if
the SEAM kinit is one of these, and you didn't mention which kinit
program you're using.