Problem changing expired Windows 2000 passwords

Jeffrey Altman jaltman2 at nyc.rr.com
Wed Aug 18 12:53:46 EDT 2004


This behavior is a Windows 2000 bug which will not be fixed.
You must log in as

	user at DOMAIN

to avoid the bug.

Jeffrey Altman



rodolfo at ime.unicamp.br wrote:

> Hi!
> 
> I don't used AddKpasswd when I ran ksetup.exe.  I tried to do it now, but
> it still not working.
> 
> But... running tcpdump, I saw that the client asks my DNS server for
> something.  Putting bind to log queries, I saw:
> 
> query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ROOT.
> IME.UNICAMP.BR IN SRV
> query: _ldap._tcp.dc._msdcs.ROOT.IME.UNICAMP.BR IN SRV
> query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ROOT.
> IME.UNICAMP.BR IN SRV
> query: _ldap._tcp.dc._msdcs.ROOT.IME.UNICAMP.BR IN SRV
> 
> ROOT.IME.UNICAMP.BR is our main  kerberos realm (since our workstations
> was at .ime.unicamp.br domain, and Windows 2000 use the domain as its
> kerberos realm, we done it this way to preserve our original domain name
> for all workstations and be able to use cross-realm auth. with our MIT
> realm).
> 
> As it uses to do, windows is looking for my MIT KDC asking to a domain
> with the realm's name.
> 
> Btw: I tried to build the ROOT.IME.UNICAMP.BR zone at DNS and put SRV
> records for my (MIT) KDC, but it did not work.  I tried putting SRV
> records for the ADS too (as ldap), but it still not working...
> 
> .... some idea??
> 
> Tnks in advice!!
> 
> []s!
> Rodolfo
> 
> 
>>When you ran ksetup on a client did you use the /AddKpasswd option?
>>
>>It could be that SP1 is using the "older administrative protocol" which
>>was used by the v5passwdd. You might try running v5passwdd.
>>
>>I say this as I know the older krb5.exe on windows had a password change
>>option, and the krb5.exe could talk to AD to change a password in AD. So
>>Microsoft may have implemented the other direction as well,
>>and allow a Windows machine to change a password in an MIT realm,
>>but you may have to use the /AddKpasswd option to tell it where it is.
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list