[OpenAFS] One of my users has married - what to do?
John Hascall
john@iastate.edu
Sun, 29 Apr 2007 21:27:50 CDT
> On 4/29/07, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> > >If I recall correctly, our method for handling the salt correctly for
> > >any enctype now involves having the person set a new password
> > >when they change their username.
> > If you're going to do this anyway, and assuming you aren't doing
> > the right magic to preserve the password history correctly (from what I
> > remember, that old code in kadmind didn't do that), then why are you
> > adding the code for rename_principal back into kadmind? It sounds
> > like you could do everything you are talking about with a delete
> > and an add.
> We started having users set a new password when they change
> their username within the last year. We've been putting the
> rename code back in for a lot longer. John would have to say
> if we do anything with password history, though I think we
> don't.
Password history is a moot point for us. Should we care
about that at some point, we'll worry about it then.
The needing to do a password change is not because of anything in
Kerberos itself, it's because we sync our MIT and Windows-AD KDCs
and because WebCT Vista's kerberos implementation is a total piece
of crap. It doesn't do the enctype or salt stuff right and so
it can only auth against a Win-AD KDC (or I'm presuming an MIT
KDC setup to use the exact same enctype/salt), and because it
doesn't do the salt correctly, anyone who has had a rename can't
login to WebCT until they've had a password change.
When I finally got somebody at WebCT/Blackboard/whatever to
understand how broken their implementation was, they offered
to let us pay them to fix it. Umm, No.
John