kpasswd failure due to time out

dkuhl dkuhl at paritysys.net
Tue Aug 31 17:06:54 EDT 2004 

Hi,
	I have this problem with kpasswd.  I can't seem to get it to function 
properly.  I always get the following dialog:

myuser at machine:~$ kpasswd
Password for myuser at OURREALM.COM:
Enter new password: :
Enter it again: :
kpasswd: Connection timed out changing password

	I've googled all over the place but I can't seem to find anyone who has 
had this issue before (which I find hard to believe).  The environment I 
have set up is comprised of all Debian machines, running the recent 
(testing/sarge) krb5 packages:
   krb5-admin-server - Mit Kerberos master server (kadmind)
   krb5-kdc - Mit Kerberos key server (KDC)

	I have a couple of servers running the kerberized ssh package and 
everything at the moment seems to be functioning fine with the exception 
that users cannot change their own passwords.  Obviously this is a 
problem.

	Here are some details.  Domain names, Realm names, and user names have 
been changed to protect the innocent.

This is what shows up in the kdc log when I first run kpasswd:

Aug 31 12:00:06 kdc1.ourdomain.com krb5kdc[4654](info): AS_REQ
(7 etypes {18 17 16 23 1 3 2}) 192.168.2.101: NEEDED_PREAUTH:
myuser at OURREALM.COM for kadmin/changepw at OURREALM.COM, Additional
pre-authentication required

         When I type in my password, I get a response asking for my new 
password and the following entry appears in the kdc log:

Aug 31 12:00:09 kdc1.ourdomain.com krb5kdc[4654](info): AS_REQ
(7 etypes {18 17 16 23 1 3 2}) 192.168.2.101: ISSUE: authtime
1093971609, etypes {rep=16 tkt=16 ses=16}, myuser at OURREALM.COM for 
kadmin/changepw at OURREALM.COM

         That's all the ever appears in the log.  I have the kadmin log
segregated and nothing ever shows up in that log during this
opperation.  I thought the kadmind daemon was responsible for this but 
it never gets involved from what I can tell.

Here's what the access control file (kadm5.acl) has:

  */admin *
*/admin at OURREALM.COM   *
myuser at OURREALM.COM     cli     *
kadmin/admin at OURREALM.COM *
kadmin/changepw at OURREALM.COM   *       *

	I put the "kadmin/changepw at OURREALM.COM" in there as an experiment - 
doesn't seem to make a difference.

	I could really use some help if anyone has experience with this sort of 
problem.  I can provide further details (kdc.conf, krb5.conf, etc) if 
anyone wants them.

Thanks,
Dave

More information about the Kerberos mailing list