Problem changing expired Windows 2000 passwords
Douglas E. Engert
deengert at anl.gov
Tue Aug 17 10:06:43 EDT 2004
rodolfo at ime.unicamp.br wrote:
> Hi!
>
> We have a Windows 2000 domain with workstations performing authentication
> at a MIT Kerberos KDC. It works fine but, if the user's password has
> expired, the Windows workstations displays it's normal "password expired"
> alert, but when the user tries to change this password, Windows shows the
> "domain not available" message.
>
> Running tcpdump at the kdc, I show no kerberos related traffic when this
> password-change is tried.
>
> There is a article at Microsoft about a similar problem, but it says the
> issue is solved with service pack 1. We have service pack 4 at our
> windows workstations.
When you ran ksetup on a client did you use the /AddKpasswd option?
It could be that SP1 is using the "older administrative protocol" which
was used by the v5passwdd. You might try running v5passwdd.
I say this as I know the older krb5.exe on windows had a password change
option, and the krb5.exe could talk to AD to change a password in AD.
So Microsoft may have implemented the other direction as well,
and allow a Windows machine to change a password in an MIT realm,
but you may have to use the /AddKpasswd option to tell it where it is.
>
> Some idea???
>
> Tnks!
>
> []s!
> Rodolfo
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list