change password expired because domain is not found

Jeffrey Altman jaltman2 at
Tue Jun 22 11:19:06 EDT 2004

MIT.REALM.COM is an external realm.
External realms are not searched for using LDAP.
Once again:

	What is the configuration of the machine with KSETUP?

	Do you have entries for kdc and kpasswd in the KSETUP 		

	If yes, do they map to valid DNS addresses?

	Are those addresses reachable?

Windows will only try the first address returned for each name.
If you are using an alias name pointing to multiple servers and
one of the servers is not reachable, you will fail.

UDP is tried before TCP but TCP will be used if the tickets are
too large.

Lara Adianto wrote:
> hello everybody,
> I've posted this question a few weeks ago, but no one
> replied, and *sigh*, I'm stil stucked.
> Scenario:
> Win2k client authenticates to MIT KDC
> Problem:
> When the user's password is expired, windows will
> prompt user with new password. However, change
> password failed because domain MIT.REALM.COM cannot be
> found.
>>From ethereal, I can see that the win2k client does a
> CLDAP request, with filter: (&(DnsDomain =
> MIT.REALM.COM)(Host=win2k_machine)(NtVer=\006). Since
> this is not successful, it does IPX request and then
> NBNS for domain MIT.REALM.COM.
> How can I resolve this problem ?
> 1. Should I setup a MS-CLDAP server on a w2kserver
> (which is not my KDC), or can I use openldap with
> --enable-cldap (anyone ever tried this ?) ? 
> 2. Is there any better and easier way than setting up
> the CLDAP server ? WINS ? 
> regards,
> lara
> =====
> ------------------------------------------------------------------------------------ 
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                         - Guy de Maupassant -
> ------------------------------------------------------------------------------------
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> ________________________________________________
> Kerberos mailing list           Kerberos at

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list