Kerberos: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(password expiry manipulation)
No edit summary
Line 1: Line 1:
We use [http://web.mit.edu/Kerberos/ MIT Kerberos 5] for authentication. Our kerberos realm is CSCLUB.UWATERLOO.CA. KDCs run on [[Machine_List#ginseng|ginseng]] (kdc1) and [[Machine_List#artificial-flavours|artificial-flavours]] (kdc2).
We use [http://web.mit.edu/Kerberos/ MIT Kerberos 5] for authentication. Our kerberos realm is CSCLUB.UWATERLOO.CA. KDCs run on [[Machine_List#potassium-citrate|potassium-citrate]] (kdc1) and [[Machine_List#artificial-flavours|artificial-flavours]] (kdc2).


=== Password Resets ===
=== Password Resets ===

Revision as of 14:20, 22 August 2013

We use MIT Kerberos 5 for authentication. Our kerberos realm is CSCLUB.UWATERLOO.CA. KDCs run on potassium-citrate (kdc1) and artificial-flavours (kdc2).

Password Resets

To change your own password you can run passwd on any of the club's machines.

Changing other users' passwords

  • ssh ginseng
  • sudo kadmin.local
  • cpw username
  • Enter new password and confirm

API Documentation

Expiring Passwords

If you are on syscom, you can force a user to change their password by doing this:

  • ssh ginseng
  • sudo kadmin.local
  • modify_principal +needchange [username]

bofh's Kerberos5 cheat sheet, or "what the fuck does *that* error message mean, exactly?"

- If GSSAPI complains about "Wrong Principal in Request", make sure there's no clockskew on the machine trying to get the service ticket and the machine running the service that you are trying to get a GSS token to. This will cause this error for some insane reason, despite there being ANOTHER message for clockskew that specifically says "your clocks are off, dumbass" - it just never seems to be used in the source code anywhere (as of MIT-KRB5 1.9, at least).