On Thu, Mar 6, 2014 at 1:31 PM, Edgecombe, Jason <[email protected]> wrote: > Does Heimdal reject requests for expired/disabled accounts as well?
It rejects in these cases: - the HDB doesn't have an entry for the client principal but should have - the HDB did have an entry and the client principal was marked locked out - the HDB did have an entry and the client principal was marked invalid - the HDB did have an entry and the client principal was marked not a client - the HDB did have an entry and the client principal's valid_start (which is only really supported via the LDAP HDB backend) - the HDB did have an entry and the client principal requires a password change - the HDB did have an entry and the client principal's password is expired It'd be trivial to reject requests using tickets predating the last password change. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
