Problem changing expired Windows 2000 passwords
rodolfo@ime.unicamp.br
rodolfo at ime.unicamp.br
Wed Aug 18 10:39:07 EDT 2004
Hi!
I don't used AddKpasswd when I ran ksetup.exe. I tried to do it now, but
it still not working.
But... running tcpdump, I saw that the client asks my DNS server for
something. Putting bind to log queries, I saw:
query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ROOT.
IME.UNICAMP.BR IN SRV
query: _ldap._tcp.dc._msdcs.ROOT.IME.UNICAMP.BR IN SRV
query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ROOT.
IME.UNICAMP.BR IN SRV
query: _ldap._tcp.dc._msdcs.ROOT.IME.UNICAMP.BR IN SRV
ROOT.IME.UNICAMP.BR is our main kerberos realm (since our workstations
was at .ime.unicamp.br domain, and Windows 2000 use the domain as its
kerberos realm, we done it this way to preserve our original domain name
for all workstations and be able to use cross-realm auth. with our MIT
realm).
As it uses to do, windows is looking for my MIT KDC asking to a domain
with the realm's name.
Btw: I tried to build the ROOT.IME.UNICAMP.BR zone at DNS and put SRV
records for my (MIT) KDC, but it did not work. I tried putting SRV
records for the ADS too (as ldap), but it still not working...
... some idea??
Tnks in advice!!
[]s!
Rodolfo
> When you ran ksetup on a client did you use the /AddKpasswd option?
>
> It could be that SP1 is using the "older administrative protocol" which
> was used by the v5passwdd. You might try running v5passwdd.
>
> I say this as I know the older krb5.exe on windows had a password change
> option, and the krb5.exe could talk to AD to change a password in AD. So
> Microsoft may have implemented the other direction as well,
> and allow a Windows machine to change a password in an MIT realm,
> but you may have to use the /AddKpasswd option to tell it where it is.
More information about the Kerberos
mailing list