Q: osx kerberos password resets
We have kerberos authentication setup on our office network, we use open directory 2.4 and sasl / kerberos for authenticating users. This has been working fine but we are now getting a problem with trying to force users to change their password at next login.
The flag we are setting in kerberos is the needchange flag. When a user with this flag set tries to login osx displays this dialog:
On setting a new password though (that meets the requirements in the kerberos policy) the dialog box just wobbles. The password doesn’t change in kerberos and the user cannot login.
The error shown on the mac is:
authorizationhost: Failed to authenticate user <testuser> (error: 10).
The kerberos server simply shows:
krb5kdc[89](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: REQUIRED PWCHANGE: testuser@TEST.REALM.ORG for krbtgt/TEST.REALM..ORG@TEST.REALM..ORG, Password has expired
I’ve done some searching on the web and found some people reporting similar issues here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00166.html
and here:
https://discussions.apple.com/thread/7630644?start=0&tstart=0
I’ve had the same issue on 10.9 10.10 & 10.11
I’ve found various solutions around forcing password changes on macs from the server side but they are all Active Directory based solutions so won’t work for us. Has anyone managed to get this working in an Open Directory / Kerberos environment?
OS X Mavericks (10.9.5)
Posted on Sep 2, 2016 4:05 AM
