From kenh@cmf.nrl.navy.mil Thu Apr 10 13:43:08 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29014 for <bugs@RT-11.MIT.EDU>; Thu, 10 Apr 1997 13:43:03 -0400
Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP
id AA25519; Thu, 10 Apr 97 12:42:36 EST
Received: from nexus.cmf.nrl.navy.mil (kenh@nexus.cmf.nrl.navy.mil [134.207.10.9])
by ginger.cmf.nrl.navy.mil (8.8.5/8.8.5) with ESMTP id NAA12494
for <krb5-bugs@mit.edu>; Thu, 10 Apr 1997 13:42:41 -0400 (EDT)
Received: (from kenh@localhost)
by nexus.cmf.nrl.navy.mil (8.8.5/8.8.5) id NAA05219;
Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
Message-Id: <199704101742.NAA05219@nexus.cmf.nrl.navy.mil>
Date: Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Subject: Don't update the last password change field for new users
X-Send-Pr-Version: 3.99
System: SunOS nexus 4.1.4 3 sun4m
Architecture: sun4
The current way kadmind works makes it difficult to use minimum password
lifetimes.
When you create a user, the "last password change" field is updated so it
has the time the account was created. This is problematic if you set a
minimum password lifetime; if you want new users to change their passwords
right away, you have to wait until the minimum password lifetime has lapsed
until they can change their password, and that simply doesn't make sense.
Create a user with a long minimum password lifetime, and tell them to change
their passwords right away.
This simple patch makes it so newly created accounts don't have a
password change time.
--- lib/kadm5/srv/svr_principal.c.orig Mon Nov 11 17:05:18 1996
+++ lib/kadm5/srv/svr_principal.c Thu Apr 10 13:30:02 1997
@@ -212,13 +212,6 @@
return(ret);
}
- if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) {
- krb5_dbe_free_contents(handle->context, &kdb);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
-
/* initialize the keys */
if (ret = krb5_dbe_cpw(handle->context, &master_encblock,
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29014 for <bugs@RT-11.MIT.EDU>; Thu, 10 Apr 1997 13:43:03 -0400
Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP
id AA25519; Thu, 10 Apr 97 12:42:36 EST
Received: from nexus.cmf.nrl.navy.mil (kenh@nexus.cmf.nrl.navy.mil [134.207.10.9])
by ginger.cmf.nrl.navy.mil (8.8.5/8.8.5) with ESMTP id NAA12494
for <krb5-bugs@mit.edu>; Thu, 10 Apr 1997 13:42:41 -0400 (EDT)
Received: (from kenh@localhost)
by nexus.cmf.nrl.navy.mil (8.8.5/8.8.5) id NAA05219;
Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
Message-Id: <199704101742.NAA05219@nexus.cmf.nrl.navy.mil>
Date: Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Subject: Don't update the last password change field for new users
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 415
>Category: krb5-admin
>Synopsis: The current behavior of kadmind makes using minimum password lifetimes difficult
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bjaspan
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 10 13:44:01 EDT 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Navel Research Lab>Category: krb5-admin
>Synopsis: The current behavior of kadmind makes using minimum password lifetimes difficult
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bjaspan
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 10 13:44:01 EDT 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Show quoted text
>Release: 1.0
>Environment:
>Environment:
System: SunOS nexus 4.1.4 3 sun4m
Architecture: sun4
Show quoted text
>Description:
The current way kadmind works makes it difficult to use minimum password
lifetimes.
When you create a user, the "last password change" field is updated so it
has the time the account was created. This is problematic if you set a
minimum password lifetime; if you want new users to change their passwords
right away, you have to wait until the minimum password lifetime has lapsed
until they can change their password, and that simply doesn't make sense.
Show quoted text
>How-To-Repeat:
Create a user with a long minimum password lifetime, and tell them to change
their passwords right away.
Show quoted text
>Fix:
This simple patch makes it so newly created accounts don't have a
password change time.
--- lib/kadm5/srv/svr_principal.c.orig Mon Nov 11 17:05:18 1996
+++ lib/kadm5/srv/svr_principal.c Thu Apr 10 13:30:02 1997
@@ -212,13 +212,6 @@
return(ret);
}
- if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) {
- krb5_dbe_free_contents(handle->context, &kdb);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
-
/* initialize the keys */
if (ret = krb5_dbe_cpw(handle->context, &master_encblock,
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: