Password Expiration, win2k client

J-F Cloutier jfclouti at mobility.com
Mon Mar 10 14:33:37 EST 2003 

Hi there, here is my problem:
I have installed a KDC that run on a Solaris 8 system.  Then on a
windows2000 pro I used the Ksetup utility from microsoft to configure
the workstation to authenticate through the KDC (doing the /setrealm,
/addkdc /setcomputerpassword and /mapuser).  The w2k client seems to
be correctly configured, I can logon to the kerberos realm, I change
my password, I see my ticket with the kerbtray utility.  The problem
is when my password expires.  I enter my username/password on the
win2k login screen,  I then receive a message that my password is
expired and that I need to change my password now.  Then the change
password window pops up.  I type a new password (which respect my
password policy) and then after 10-15 seconds, I receive an error
message saying that the domain is not available.

The exact error message is: "The system cannot change your password
now because the domain REALM.COM is not available"

Here is the log in kdc.log:
Mar 10 14:29:32 kdc1.realm.com krb5kdc[705](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 10.46.3.8(88): CLIENT KEY EXPIRED:
jfclouti at REALM.COM for krbtgt/REALM.COM at REALM.COM, Password has
expired
Mar 10 14:29:32 kdc1.realm.com krb5kdc[705](info): DISPATCH: repeated
(retransmitted?) request from 10.46.3.8 port 88, resending previous
response

If i change my password through the kadmin interface, the logon will
work, until my password get expired again.  Looking on the web, i
tought that this problem was supposed to be fixed with SP1 for windows
2000 (refering to 253532), but it doesn't work.

I just did a clean install of windows 2000 with SP1, same problem. 
One funny thing I found, when my password is expired, I can enter any
password for my username and as soon as I try to logon, it always told
me that the password is expired and that I need to change it.  Isn't
supposed to check if the correct password is valid before checking for
the password expiration?

Here is my config:
Client:
Windows 2000 pro, tried with sp1, sp2 and sp3

KDC:
Solaris 8 
MIT kerberos 5 1.2.7, precompiled binaries from MIT

Thanks!
J-F Cloutier

ps. please send me a copy of your answer at jfclouti at mibility.com

More information about the Kerberos mailing list