Re: using REQUIRES_PWCHANGE kinit reports expired passwords
"Eduardo A Muņoz" <firstname.lastname@example.org> writes:
> Im working with ubuntu 7.10 clients authenticating against kerberos. The
> issue arises when I a set the REQUIRES_PWCHANGE attribute to a user key so
> that in next login they are required to change the password. Some machines (
> not all ) can't authenticate when the mentioned attribute is set , they
> "kinit(v5): Password has expired while getting initial credentials"
> (Of course my password expiration time haven't been reached and it reports
> the same working with policies or without it)
> if I a unset the attribute, i can obtain the tickets. Like i said this
> behavior is present in some machines , others can get tickets with the
> attribute set or unset with the same principals.[/color]
This seems very strange and inconsisent. Are you sure all the client
machines are talking to the same KDC? REQUIRES_PWCHANGE should always
cause authentication failure except for service principals marked as
password-changing service principals.