change password expired because domain is not found
Lara Adianto
m1r4cle_26 at yahoo.com
Fri Jun 25 04:15:29 EDT 2004
I've added kpasswd using ksetup:
C:/>ksetup
default realm = ADIANTO.COM <external>
ADIANTO.COM:
kdc = kerberos.adianto.com
kpasswd = kerberos.adianto.com
Mapping lara at ADIANTO.COM to lara
But it didn't work.
I've changed the DNS server (from Win2k server to
linux), and added _kpasswd._udp.ADIANTO.COM, but it
didn't work as well...
This is what happened (as captured by ethereal):
1. AS-REQ from win client (Testw2k8) to MIT KDC
2. KRB-ERR from MIT KDC to client (Testw2k8) that key
is expired
3. DNS query from win client to DNS server for
_ldap._tcp.dc._msdcs.ADIANTO.COM type SRV class inet
(why did it query for msdcs ???, I added the entry
finally, but it still didn't work out )
4. CLDAP query from client to DNS server with
Filter(&(DnsDomain = ADIANTO.COM)(Host =
Testw2k8)(NtVer=\006) attr=NetLogon
5. NBIPX: Find name ADIANTO.COM
6. NBNS: Name query NB ADIANTO.COM
7. NetLogon: Query for PDC from Testw2k8
Where did it go wrong ?
This is my Dns entries:
;
; Zone file for adianto.com
;
; The full zone file
;
$TTL 3D
@ IN SOA kserver.adianto.com.
hostmaster.adianto.com. (
199802151 ; serial,
todays date + todays serial #
8H ; refresh,
seconds
2H ; retry,
seconds
4W ; expire,
seconds
1D ) ; minimum,
seconds
;
NS kserver ; Inet Address
of name server
;
localhost A 127.0.0.1
kerberos A 192.168.168.106
testw2k8 A 192.168.168.94
;
; Master setup
_kerberos._udp IN SRV 0 0 88
kerberos.adianto.com.
_kerberos._tcp IN SRV 0 0 88
kerberos.adianto.com.
_kpasswd._udp IN SRV 0 0 464
kerberos.adianto.com.
_ldap._tcp.dc._msdcs IN SRV 0 0 389
kerberos.adianto.com.
;
; Round-robin setup
_kerberos._udp IN SRV 0 0 88
kerberos
regards,
lara
--- Jeffrey Altman <jaltman at columbia.edu> wrote:
> Define the kpasswd entries with KSETUP or add
> _kpasswd._udp.<realm> SRV
> records
> to DNS. Otherwise, Windows is probably using LDAP
> to try to find the
> change password
> service.
>
>
>
> Lara Adianto wrote:
>
> >--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> >
> >
> >>MIT.REALM.COM is an external realm.
> >>
> >>
> >Yes, I'm authenticating windows machine to a
> >non-windows KDC
> >
> >
> >
> >>External realms are not searched for using LDAP.
> >>Once again:
> >>
> >> What is the configuration of the machine with
> >>KSETUP?
> >>
> >>
> >default realm = ADIANTO.COM <external>
> >ADIANTO.COM:
> > kdc = kerberos.adianto.com
> >Mapping lara at ADIANTO.COM to lara
> >
> >I also added: RealmFlags = 8
> >
> >
> >
> >> Do you have entries for kdc and kpasswd in the
> >>KSETUP
> >> configuration?
> >>
> >>
> >kdc yes, kpasswd no. Is it necessary to have
> kpasswd ?
> >I have no problem changing the password when it's
> not
> >expired yet.
> >
> >
> >
> >> If yes, do they map to valid DNS addresses?
> >>
> >> Are those addresses reachable?
> >>
> >>
> >Well, I set up a DNS server on a win2k server, and
> I'm
> >able to ping kerberos.adianto.com from the win2k
> prof
> >client.
> >
> >
> >
> >>Windows will only try the first address returned
> for
> >>each name.
> >>If you are using an alias name pointing to
> multiple
> >>servers and
> >>one of the servers is not reachable, you will
> fail.
> >>
> >>UDP is tried before TCP but TCP will be used if
> the
> >>tickets are
> >>too large.
> >>
> >>
> >
> >I don't have alias name in my DNS. Mmm, I have no
> idea
> >why it does CLDAP request. Any clue why this
> happened
> >?
> >
> >Thanks again before. You have been really helpful
> to
> >me in the process of understanding this whole new
> >concept.
> >
> >regards,
> >-lara-
> >
> >
> >
> >>Lara Adianto wrote:
> >>
> >>
> >>>hello everybody,
> >>>
> >>>I've posted this question a few weeks ago, but no
> >>>
> >>>
> >>one
> >>
> >>
> >>>replied, and *sigh*, I'm stil stucked.
> >>>
> >>>Scenario:
> >>>Win2k client authenticates to MIT KDC
> >>>
> >>>Problem:
> >>>When the user's password is expired, windows will
> >>>prompt user with new password. However, change
> >>>password failed because domain MIT.REALM.COM
> >>>
> >>>
> >>cannot be
> >>
> >>
> >>>found.
> >>>
> >>>>From ethereal, I can see that the win2k client
> >>>
> >>>
> >>does a
> >>
> >>
> >>>CLDAP request, with filter: (&(DnsDomain =
> >>>MIT.REALM.COM)(Host=win2k_machine)(NtVer=\006).
> >>>
> >>>
> >>Since
> >>
> >>
> >>>this is not successful, it does IPX request and
> >>>
> >>>
> >>then
> >>
> >>
> >>>NBNS for domain MIT.REALM.COM.
> >>>
> >>>How can I resolve this problem ?
> >>>1. Should I setup a MS-CLDAP server on a
> w2kserver
> >>>(which is not my KDC), or can I use openldap with
> >>>--enable-cldap (anyone ever tried this ?) ?
> >>>2. Is there any better and easier way than
> setting
> >>>
> >>>
> >>up
> >>
> >>
> >>>the CLDAP server ? WINS ?
> >>>
> >>>regards,
> >>>lara
> >>>
> >>>=====
> >>>
> >>>
> >>>
>
>------------------------------------------------------------------------------------
> >
> >
> >>>La vie, voyez-vous, ca n'est jamais si bon ni si
> >>>
> >>>
> >>mauvais qu'on croit
> >>
> >>
> >>>
>
> >>>
> >>>
> >> - Guy de Maupassant -
> >>
> >>
>
>------------------------------------------------------------------------------------
> >
> >
> >>>
> >>>
> >>>__________________________________
> >>>Do you Yahoo!?
> >>>New and Improved Yahoo! Mail - 100MB free
> storage!
> >>>http://promotions.yahoo.com/new_mail
> >>>________________________________________________
> >>>Kerberos mailing list Kerberos at mit.edu
> >>>https://mailman.mit.edu/mailman/listinfo/kerberos
> >>>
> >>>
> >>>
> >>--
> >>-----------------
> >>This e-mail account is not read on a regular
> basis.
>
=== message truncated ===
> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
More information about the Kerberos
mailing list