PAM Kerberos Release Note, HP 9000 Networking
26 Chapter1
PAM Kerberos Release Note
Known Limitations
Known Limitations
• Current kinit does not support the option for credential refreshment, i.e. "kinit -R". The
libpam_krb5 library supports the manual credential refreshment. The user application
can use the pam_setcred() with PAM_REFRESH_CRED flag to refresh the credentials.
This is a known problem with kinit in HP-UX 11.0.
• Current kinit uses only UNIX TIME & DCE pre-authentications mechanisms. If the KDC
is using a different type of pre-authentication, disable pre-authentication for each user on
the KDC.
On Microsoft Windows 2000 use "Directory Management Tool" to set the "Kerberos
pre-authentication not required" flag in the user's property dialog box. With a MIT KDC
use the kadmin tool to disable the pre-authentication if necessary.
This limitation doesn't impact the usage of PAM Kerberos, which supports Microsoft
Windows 2000 pre-authentication mechanisms. This is a known problem with kinit in
HP-UX 11.0.
• It is strongly suggested that the PAM Kerberos and DCE Kerberos plug-in modules not to
be used simultaneously, because of the different principal style and the credential file
path.
For the principal style, the DCE Kerberos uses cellname, whereas the PAM Kerberos uses
realm name. For the credential cache file, DCE Kerberos puts its credentials in
/var/opt/dce/creds path, whereas PAM Kerberos stores in /tmp/pam_krb5/creds path.
• Due to the protocol selection mechanism of the change password protocol, when changing
passwords on a MIT KDC with a version prior to 1.1, up to 45 seconds may elapse before
the password is actually changed.