Can't change kerberos password on Active Directory with kpasswd

Henry B. Hotz hotz at jpl.nasa.gov
Tue Apr 6 13:42:42 EDT 2004


Actually SEAM works just fine with a Heimdal (and therefore MIT and 
MS?) KDC, but there are a several caveats:

1)  You need to have the latest Kerberos patches from Sun installed. 
There's a compatibility bug that's fixed along with the security 
fixes.

2)  You need to have an entry for "kpasswd_protocol = SET_CHANGE". 
See the Sun krb5.conf man page to check my spelling, etc.

3)  On Solaris 9 you need an entry for kpasswd_server or it will do a 
DNS lookup before it falls back to the admin_server entry.  (Not 
documented, but pretty obvious if you look at snoop.)

4)  Your Kerberos principal must match an otherwise-defined account 
on the machine.  You can't just change some random principal's 
password.

I've seen 1 and 4 on Solaris 8, and 3 on Solaris 9.  2 is common to 
both.  Solaris 7 and earlier has Kerberos 4, not K5/SEAM.  No 
experience with Solaris 10 (yet).

At 6:18 PM -0400 4/4/04, kerberos-request at mit.edu wrote:
>Date: Fri, 2 Apr 2004 13:11:38 -0500
>From: "Tareq Alrashid" <tma at case.edu>
>To: "'Tyson Oswald'" <oswaldt at ameritech.net>
>Cc: kerberos at MIT.EDU
>Subject: RE: Can't change kerberos password on Active Directory with kpasswd
>Message-ID: <200404021811.BBZ83911 at mirapoint1.tis.cwru.edu>
>In-Reply-To: <20040402144722.25395.qmail at web80605.mail.yahoo.com>
>Content-Type: multipart/signed;
>	protocol="application/x-pkcs7-signature";
>	micalg=SHA1;
>	boundary="----=_NextPart_000_0086_01C418B4.070D0450"
>MIME-Version: 1.0
>Precedence: list
>Reply-To: tma at case.edu
>Message: 9
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0086_01C418B4.070D0450
>Content-Type: text/plain;
>	charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>
>Make sure you are using MIT Kerberos 'kpasswd', and NOT the Sun SEAM 1.0.
>I was bitten with this a year ago, while authentication works using Sun's
>tools
>their kpasswd is NOT compatible with MIT's.
>
>hth,
>Tareq
>
>-
>Tareq.Alrashid at CASE.EDU - ITS Middleware
>10900 Euclid Avenue, CRAWFORD 422, Cleveland, OH 44106-7072
>USA - VOICE:1-216-368-3559, FAX:1-216-368-3165
>
>|-->-----Original Message-----
>|-->From: kerberos-bounces at mit.edu
>|-->[mailto:kerberos-bounces at mit.edu] On Behalf Of Tyson Oswald
>|-->Sent: Friday, April 02, 2004 09:47
>|-->To: kerberos at mit.edu
>|-->Subject: Can't change kerberos password on Active Directory
>|-->with kpasswd
>|-->
>|-->Hello,
>|-->
>|-->I have setup kerberos (to Aactive Directory) authentication
>|-->on Solaris 8 with SEAM 1.0.  I can authenticate withut any
>|-->problems, but if I try and use kpasswd to change my
>|-->kerberos password I get the following error 'kpasswd:
>|-->unable to get host based service name for realm
>|-->myRealm.net'.  My /etc/krb5/krb5.conf file looks like
>|-->
>|-->[libdefaults]
>|-->        default_realm = MYREALM.NET
>|-->        default_tkt_enctypes = des-cbc-md5
>|-->        default_tgs_enctype = des-cbc-md5
>|-->
>|-->[realms]
>|-->        MYREALM.NET = {
>|-->                kdc = 192.168.0.252:88
>|-->        }
>|-->
>|-->I have looked on google and didn't see any references to
>|-->this error.  Any help would be greatly appreciated.
>|-->
>|-->thank you,
>|-->
>|-->Tyson Oswald
>|-->
>|-->________________________________________________
>|-->Kerberos mailing list           Kerberos at mit.edu
>|-->https://mailman.mit.edu/mailman/listinfo/kerberos
>|-->

-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu


More information about the Kerberos mailing list