Does MIT kadmind support ksetpw operations?
Andrew J. Korty
me at privacy.net
Tue Apr 9 12:03:49 EDT 2002
The ksetpw protocol Microsoft proposes for keeping MIT and ADS KDCs in
sync confuses me.
Suppose I have an ADS realm "ADS" and an MIT realm "MIT". The
principal "passprinc" exists in both realms and has permission to
change passwords for all the users in that realm. The principal "ajk"
is also in both realms and in these examples is the one whose password
I want to change.
$ kinit passprinc at ADS
Password for passprinc at ADS:
$ ksetpw ajk at ADS
Changing password for ajk at ADS
Enter new password:
Enter it again:
$
works fine, which seems strange, since kadmin/changepw should not be a
TGT-based service. The MIT kadmind does what I would expect:
$ kinit passprinc at MIT
Password for passprinc at MIT:
$ ksetpw ajk at MIT
Changing password for ajk at MIT
Enter new password:
Enter it again:
ksetpw: KDC policy rejects request changing password
Shouldn't I have to get an *initial* kadmin/changepw ticket instead of
using a TGT? That doesn't work for either KDC.
$ kinit -S kadmin/changepw passprinc at ADS
Password for passprinc at ADS:
$ ksetpw ajk at ADS
Changing password for ajk at ADS
Enter new password:
Enter it again:
Access denied
I guess it's complaining because I don't have a TGT to get a
kadmin/changepw ticket. The MIT error is more cryptic.
$ kinit -S kadmin/changepw passprinc at MIT
Password for passprinc at MIT:
$ ksetpw ajk at MIT
Changing password for ajk at MIT
Enter new password:
Enter it again:
Malformed request error: Request contained unknown protocol
version number 65408
Is it possible to change passwords with another user's credentials
with MIT Kerberos 5? I don't think I want to reset the
DISALLOW_TGT_BASED on kadmin/changepw.
--
Andrew J. Korty, Principal Security Engineer, GCIA
Office of the Vice President for Information Technology
Indiana University
More information about the Kerberos
mailing list