change password expired because domain is not found

Lara Adianto m1r4cle_26 at yahoo.com
Tue Jun 22 21:47:07 EDT 2004


--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> MIT.REALM.COM is an external realm.
Yes, I'm authenticating windows machine to a
non-windows KDC

> External realms are not searched for using LDAP.
> Once again:
> 
> 	What is the configuration of the machine with
> KSETUP?
default realm = ADIANTO.COM <external>
ADIANTO.COM:
        kdc = kerberos.adianto.com
Mapping lara at ADIANTO.COM to lara

I also added: RealmFlags = 8

> 	Do you have entries for kdc and kpasswd in the
> KSETUP 		
> 	configuration?
kdc yes, kpasswd no. Is it necessary to have kpasswd ?
I have no problem changing the password when it's not
expired yet.

> 	If yes, do they map to valid DNS addresses?
> 
> 	Are those addresses reachable?
Well, I set up a DNS server on a win2k server, and I'm
able to ping kerberos.adianto.com from the win2k prof
client.

> Windows will only try the first address returned for
> each name.
> If you are using an alias name pointing to multiple
> servers and
> one of the servers is not reachable, you will fail.
> 
> UDP is tried before TCP but TCP will be used if the
> tickets are
> too large.

I don't have alias name in my DNS. Mmm, I have no idea
why it does CLDAP request. Any clue why this happened
?

Thanks again before. You have been really helpful to
me  in the process of understanding this whole new
concept.

regards,
-lara-

> Lara Adianto wrote:
> > hello everybody,
> > 
> > I've posted this question a few weeks ago, but no
> one
> > replied, and *sigh*, I'm stil stucked.
> > 
> > Scenario:
> > Win2k client authenticates to MIT KDC
> > 
> > Problem:
> > When the user's password is expired, windows will
> > prompt user with new password. However, change
> > password failed because domain MIT.REALM.COM
> cannot be
> > found.
> > 
> >>From ethereal, I can see that the win2k client
> does a
> > CLDAP request, with filter: (&(DnsDomain =
> > MIT.REALM.COM)(Host=win2k_machine)(NtVer=\006).
> Since
> > this is not successful, it does IPX request and
> then
> > NBNS for domain MIT.REALM.COM.
> > 
> > How can I resolve this problem ?
> > 1. Should I setup a MS-CLDAP server on a w2kserver
> > (which is not my KDC), or can I use openldap with
> > --enable-cldap (anyone ever tried this ?) ? 
> > 2. Is there any better and easier way than setting
> up
> > the CLDAP server ? WINS ? 
> > 
> > regards,
> > lara
> > 
> > =====
> >
>
------------------------------------------------------------------------------------
> 
> > La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >                                                   
>                      - Guy de Maupassant -
> >
>
------------------------------------------------------------------------------------
> > 
> > 
> > 	
> > 		
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - 100MB free storage!
> > http://promotions.yahoo.com/new_mail 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> -- 
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot
> edu
> 
> 


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail


More information about the Kerberos mailing list