[OpenAFS] One of my users has married - what to do?

John Hascall john@iastate.edu
Sun, 29 Apr 2007 21:27:50 CDT

> On 4/29/07, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> > >If I recall correctly, our method for handling the salt correctly for
> > >any enctype now involves having the person set a new password
> > >when they change their username.

> > If you're going to do this anyway, and assuming you aren't doing
> > the right magic to preserve the password history correctly (from what I
> > remember, that old code in kadmind didn't do that), then why are you
> > adding the code for rename_principal back into kadmind?  It sounds
> > like you could do everything you are talking about with a delete
> > and an add.

> We started having users set a new password when they change
> their username within the last year.  We've been putting the
> rename code back in for a lot longer.  John would have to say
> if we do anything with password history, though I think we
> don't.

   Password history is a moot point for us.  Should we care
   about that at some point, we'll worry about it then.

   The needing to do a password change is not because of anything in
   Kerberos itself, it's because we sync our MIT and Windows-AD KDCs
   and because WebCT Vista's kerberos implementation is a total piece
   of crap.  It doesn't do the enctype or salt stuff right and so
   it can only auth against a Win-AD KDC (or I'm presuming an MIT
   KDC setup to use the exact same enctype/salt), and because it
   doesn't do the salt correctly, anyone who has had a rename can't
   login to WebCT until they've had a password change.

   When I finally got somebody at WebCT/Blackboard/whatever to
   understand how broken their implementation was, they offered
   to let us pay them to fix it.  Umm, No.