Bug 556495

Summary: Configure/disable "Warning: Your password will expire in XX days"
Product: [Fedora] Fedora Reporter: Daniel Piddock <dgp-bz>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: nalin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-08 15:14:53 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Daniel Piddock 2010-01-18 10:49:00 EST
Description of problem:
Any time a user enters their password via pam they are informed the password will expire in XX days. This could be 1 day or 365 days.

Can this be configurable to a sensible number like 7 days?

Version-Release number of selected component (if applicable):

How reproducible:
Every time the password is entered.

Steps to Reproduce:
1. Have a user with a password expiry date set
2. Get that user to login

Actual results:
"Warning: Your password will expire in XX days"

Expected results:
Blessed silence (until a sensible period for giving the warning)

Additional info:
The KDC is running Heimdal 1.2 (from Debian Lenny)
Comment 1 Nalin Dahyabhai 2010-01-18 11:03:10 EST
It's not something pam_krb5 has direct control over, as the message is passed to it by the Kerberos libraries, which hard-code the message.  There are two ways the KDC can report expiration in the protocol, but the client code doesn't behave quite the same for both cases.  Moving this to the krb5 component.
Comment 2 Daniel Piddock 2010-01-18 12:10:37 EST
I had a look through the options on the Heimdal KDC and found the setting there.

Please feel free to NOTABUG

Should it be of interest to anyone else: I set kdc_warn_pwexpire=7d in /etc/heimdal/kdc.conf
Comment 3 Nalin Dahyabhai 2010-04-08 15:14:53 EDT
Okay, dropping the patch we were using from Raw Hide and subsequent updates.