User access to password/account info and password expiration

Thu Jan 18 18:58:02 UTC 2018

I was wondering how people handle giving users access to their account
information, and for handling password expiration in general.

I administer a small university department and we have about 125 Linux
desktops at the moment, all running Fedora 27 (which has kf5 5.41.0
currently) with KDE/Plasma as the default session.  Users are in LDAP
and authentication is done via Kerberos.  I've been running
this forever, and for the most part it works well.  But there have been
some issues I've never been able to work out properly.

We still use KDM as SSDM doesn't appear to have any ability to
communicate information about account or password expiration, or to
prompt a user to change an expired password at login.  And KDM (which I
know is unmaintained) has a terrible bug where, upon a login with an
expired password, you have about 40 seconds to enter a new password
before the entry fields simply stop responding.  I just tell people to
be quick.

I do know there are some patches to SSDM floating about which add some
sort of pam message functionality but I don't think much progress was
made on merging them.  Do "enterprise" folks just live with KDM or are
you using GDM or something else?

If a user is logged in and they need to change their password, it seems
like it's intended that they use the user manager they get when they
click on the icon next to their name in the start menu.  But that
appears to be an administrative interface, going by the fact that it has
a user creation interface and a title of "Add, remove or edit system
users".  The user can click on the password field and enter a new
password, but a polkit window appears asking for root credentials when
any attempt to save the change is made.  It also seems like this user
manager is hardcoded and there's no "simple" way to make it do something
else when that icon is clicked.

I usually just tell people to open a shell and type "passwd", but there
must be a better way.

Finally, I'm sure there must be some kind of kerberos ticket manager, or
an interface to gnome-online-accounts but I haven't been able to find
it.  I think there's a really old panel applet for dealing with kerberos
tickets but I don't think it was ever ported forward from KDE3.  What
does everyone (who is using kerberos) use for that?

Thanks for any info that folks might be able to provide.
-- 
 Jason L Tibbitts III - tibbs at math.uh.edu - 713/743-3486 - 660PGH
 System Manager:  University of Houston Department of Mathematics 