change password expired because domain is not found
Lara Adianto
m1r4cle_26 at yahoo.com
Tue Jun 22 21:47:07 EDT 2004
--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> MIT.REALM.COM is an external realm.
Yes, I'm authenticating windows machine to a
non-windows KDC
> External realms are not searched for using LDAP.
> Once again:
>
> What is the configuration of the machine with
> KSETUP?
default realm = ADIANTO.COM <external>
ADIANTO.COM:
kdc = kerberos.adianto.com
Mapping lara at ADIANTO.COM to lara
I also added: RealmFlags = 8
> Do you have entries for kdc and kpasswd in the
> KSETUP
> configuration?
kdc yes, kpasswd no. Is it necessary to have kpasswd ?
I have no problem changing the password when it's not
expired yet.
> If yes, do they map to valid DNS addresses?
>
> Are those addresses reachable?
Well, I set up a DNS server on a win2k server, and I'm
able to ping kerberos.adianto.com from the win2k prof
client.
> Windows will only try the first address returned for
> each name.
> If you are using an alias name pointing to multiple
> servers and
> one of the servers is not reachable, you will fail.
>
> UDP is tried before TCP but TCP will be used if the
> tickets are
> too large.
I don't have alias name in my DNS. Mmm, I have no idea
why it does CLDAP request. Any clue why this happened
?
Thanks again before. You have been really helpful to
me in the process of understanding this whole new
concept.
regards,
-lara-
> Lara Adianto wrote:
> > hello everybody,
> >
> > I've posted this question a few weeks ago, but no
> one
> > replied, and *sigh*, I'm stil stucked.
> >
> > Scenario:
> > Win2k client authenticates to MIT KDC
> >
> > Problem:
> > When the user's password is expired, windows will
> > prompt user with new password. However, change
> > password failed because domain MIT.REALM.COM
> cannot be
> > found.
> >
> >>From ethereal, I can see that the win2k client
> does a
> > CLDAP request, with filter: (&(DnsDomain =
> > MIT.REALM.COM)(Host=win2k_machine)(NtVer=\006).
> Since
> > this is not successful, it does IPX request and
> then
> > NBNS for domain MIT.REALM.COM.
> >
> > How can I resolve this problem ?
> > 1. Should I setup a MS-CLDAP server on a w2kserver
> > (which is not my KDC), or can I use openldap with
> > --enable-cldap (anyone ever tried this ?) ?
> > 2. Is there any better and easier way than setting
> up
> > the CLDAP server ? WINS ?
> >
> > regards,
> > lara
> >
> > =====
> >
>
------------------------------------------------------------------------------------
>
> > La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >
> - Guy de Maupassant -
> >
>
------------------------------------------------------------------------------------
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - 100MB free storage!
> > http://promotions.yahoo.com/new_mail
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot
> edu
>
>
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
More information about the Kerberos
mailing list