[OpenAFS] Odd syncing behaviour AFTER upgrade

John Lockard jlockard@umich.edu
Thu, 15 Jan 2004 12:40:21 -0500 

Greater than 8 is discarded by Solaris (at least up to Solaris 8).
If all mechanisms for creating the krb password are done on Solaris
then any characters after the 8th are tossed and ignored.  The user
can continue to type their 15 character password and all is "fine".
I guess the problems crop up when other systems are thrown in on the
mix.

-John

On Thu, Jan 15, 2004 at 12:29:03PM -0500, Norman P. B. Joseph wrote:
> On Thu, 2004-01-15 at 11:03, Derrick J Brashear wrote:
> > []
> > > Wait a minute.  Aren't these databases supposed to agree?
> > 
> > The kaserver "account locked" stuff is in an external, unsync'd database.
> > 
> > > Anybody seen this?  What's going on, and how do I fix it?
> > 
> > Make your users get their passwords right, or just disable the account
> > locking.
> 
> The account locking is a policy issue here that's not going away any
> time soon.  But thanks for the suggestion.
> 
> In poking around there seems to be another issue at play.  The account
> was getting locked because the user's password was no longer being
> recognized (and in fewer than the 5 attempts we have configured on the
> account).  On a hunch I asked how long his password was.  It was 11
> characters.  I asked him to reset it to the 1st 8 characters, and after
> he did he was able to get tokens again through the Windows client.
> 
> I vaguely recall an issue years ago with passwords greater than 8
> characters, but thought that was no longer the case.  Are AFS passwords
> restricted to 8 characters?
> 
> What's confusing about all this is that we've been humming along for
> better than two years without these things (unsynced account locking
> information and > 8 character passwords) being an issue until Tuesday. 
> The only thing that's changed in my environment have been the new
> database servers that were installed on Monday.  I'm just looking for
> some insight from people with more experience than I have.
> 
> Thanks,
> -- 
>  Norman Joseph, Systems Engineer           joseph@ctcgsc.org      IC|XC
>  Concurrent Technologies Corporation         814/269.2633         --+--
>  Global Systems Center                                            NI|KA
> 
>   ***  Be kind, for everyone you meet is fighting a great battle  ***
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 

-- 
--jlockard - "Optimist: The glass is half full.
              Pessimist: The glass is half empty.
              IT Guy: The glass is twice as big as it needs to be."