Can't change kerberos password on Active Directory with kpasswd
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Apr 6 13:42:42 EDT 2004
Actually SEAM works just fine with a Heimdal (and therefore MIT and
MS?) KDC, but there are a several caveats:
1) You need to have the latest Kerberos patches from Sun installed.
There's a compatibility bug that's fixed along with the security
fixes.
2) You need to have an entry for "kpasswd_protocol = SET_CHANGE".
See the Sun krb5.conf man page to check my spelling, etc.
3) On Solaris 9 you need an entry for kpasswd_server or it will do a
DNS lookup before it falls back to the admin_server entry. (Not
documented, but pretty obvious if you look at snoop.)
4) Your Kerberos principal must match an otherwise-defined account
on the machine. You can't just change some random principal's
password.
I've seen 1 and 4 on Solaris 8, and 3 on Solaris 9. 2 is common to
both. Solaris 7 and earlier has Kerberos 4, not K5/SEAM. No
experience with Solaris 10 (yet).
At 6:18 PM -0400 4/4/04, kerberos-request at mit.edu wrote:
>Date: Fri, 2 Apr 2004 13:11:38 -0500
>From: "Tareq Alrashid" <tma at case.edu>
>To: "'Tyson Oswald'" <oswaldt at ameritech.net>
>Cc: kerberos at MIT.EDU
>Subject: RE: Can't change kerberos password on Active Directory with kpasswd
>Message-ID: <200404021811.BBZ83911 at mirapoint1.tis.cwru.edu>
>In-Reply-To: <20040402144722.25395.qmail at web80605.mail.yahoo.com>
>Content-Type: multipart/signed;
> protocol="application/x-pkcs7-signature";
> micalg=SHA1;
> boundary="----=_NextPart_000_0086_01C418B4.070D0450"
>MIME-Version: 1.0
>Precedence: list
>Reply-To: tma at case.edu
>Message: 9
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0086_01C418B4.070D0450
>Content-Type: text/plain;
> charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>
>Make sure you are using MIT Kerberos 'kpasswd', and NOT the Sun SEAM 1.0.
>I was bitten with this a year ago, while authentication works using Sun's
>tools
>their kpasswd is NOT compatible with MIT's.
>
>hth,
>Tareq
>
>-
>Tareq.Alrashid at CASE.EDU - ITS Middleware
>10900 Euclid Avenue, CRAWFORD 422, Cleveland, OH 44106-7072
>USA - VOICE:1-216-368-3559, FAX:1-216-368-3165
>
>|-->-----Original Message-----
>|-->From: kerberos-bounces at mit.edu
>|-->[mailto:kerberos-bounces at mit.edu] On Behalf Of Tyson Oswald
>|-->Sent: Friday, April 02, 2004 09:47
>|-->To: kerberos at mit.edu
>|-->Subject: Can't change kerberos password on Active Directory
>|-->with kpasswd
>|-->
>|-->Hello,
>|-->
>|-->I have setup kerberos (to Aactive Directory) authentication
>|-->on Solaris 8 with SEAM 1.0. I can authenticate withut any
>|-->problems, but if I try and use kpasswd to change my
>|-->kerberos password I get the following error 'kpasswd:
>|-->unable to get host based service name for realm
>|-->myRealm.net'. My /etc/krb5/krb5.conf file looks like
>|-->
>|-->[libdefaults]
>|--> default_realm = MYREALM.NET
>|--> default_tkt_enctypes = des-cbc-md5
>|--> default_tgs_enctype = des-cbc-md5
>|-->
>|-->[realms]
>|--> MYREALM.NET = {
>|--> kdc = 192.168.0.252:88
>|--> }
>|-->
>|-->I have looked on google and didn't see any references to
>|-->this error. Any help would be greatly appreciated.
>|-->
>|-->thank you,
>|-->
>|-->Tyson Oswald
>|-->
>|-->________________________________________________
>|-->Kerberos mailing list Kerberos at mit.edu
>|-->https://mailman.mit.edu/mailman/listinfo/kerberos
>|-->
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list