change password expired because domain is not found
Jeffrey Altman
jaltman2 at nyc.rr.com
Fri Jun 25 14:08:13 EDT 2004
All I can say is that this is not how it is supposed to
work. Clearly there is a bug. Perhaps it is fixed in
a service pack which has not be applied. Perhaps not.
If you have a support contract with Microsoft I suggest
you use it.
Jeffrey Altman
Lara Adianto wrote:
> I've added kpasswd using ksetup:
> C:/>ksetup
> default realm = ADIANTO.COM <external>
> ADIANTO.COM:
> kdc = kerberos.adianto.com
> kpasswd = kerberos.adianto.com
> Mapping lara at ADIANTO.COM to lara
> But it didn't work.
>
> I've changed the DNS server (from Win2k server to
> linux), and added _kpasswd._udp.ADIANTO.COM, but it
> didn't work as well...
>
> This is what happened (as captured by ethereal):
> 1. AS-REQ from win client (Testw2k8) to MIT KDC
> 2. KRB-ERR from MIT KDC to client (Testw2k8) that key
> is expired
> 3. DNS query from win client to DNS server for
> _ldap._tcp.dc._msdcs.ADIANTO.COM type SRV class inet
> (why did it query for msdcs ???, I added the entry
> finally, but it still didn't work out )
> 4. CLDAP query from client to DNS server with
> Filter(&(DnsDomain = ADIANTO.COM)(Host =
> Testw2k8)(NtVer=\006) attr=NetLogon
> 5. NBIPX: Find name ADIANTO.COM
> 6. NBNS: Name query NB ADIANTO.COM
> 7. NetLogon: Query for PDC from Testw2k8
>
> Where did it go wrong ?
>
> This is my Dns entries:
> ;
> ; Zone file for adianto.com
> ;
> ; The full zone file
> ;
> $TTL 3D
> @ IN SOA kserver.adianto.com.
> hostmaster.adianto.com. (
> 199802151 ; serial,
> todays date + todays serial #
> 8H ; refresh,
> seconds
> 2H ; retry,
> seconds
> 4W ; expire,
> seconds
> 1D ) ; minimum,
> seconds
> ;
> NS kserver ; Inet Address
> of name server
> ;
> localhost A 127.0.0.1
> kerberos A 192.168.168.106
> testw2k8 A 192.168.168.94
> ;
> ; Master setup
> _kerberos._udp IN SRV 0 0 88
> kerberos.adianto.com.
> _kerberos._tcp IN SRV 0 0 88
> kerberos.adianto.com.
> _kpasswd._udp IN SRV 0 0 464
> kerberos.adianto.com.
> _ldap._tcp.dc._msdcs IN SRV 0 0 389
> kerberos.adianto.com.
> ;
> ; Round-robin setup
> _kerberos._udp IN SRV 0 0 88
> kerberos
>
> regards,
> lara
>
> --- Jeffrey Altman <jaltman at columbia.edu> wrote:
>
>>Define the kpasswd entries with KSETUP or add
>>_kpasswd._udp.<realm> SRV
>>records
>>to DNS. Otherwise, Windows is probably using LDAP
>>to try to find the
>>change password
>>service.
>>
>>
>>
>>Lara Adianto wrote:
>>
>>
>>>--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
>>>
>>>
>>>
>>>>MIT.REALM.COM is an external realm.
>>>>
>>>>
>>>
>>>Yes, I'm authenticating windows machine to a
>>>non-windows KDC
>>>
>>>
>>>
>>>
>>>>External realms are not searched for using LDAP.
>>>>Once again:
>>>>
>>>> What is the configuration of the machine with
>>>>KSETUP?
>>>>
>>>>
>>>
>>>default realm = ADIANTO.COM <external>
>>>ADIANTO.COM:
>>> kdc = kerberos.adianto.com
>>>Mapping lara at ADIANTO.COM to lara
>>>
>>>I also added: RealmFlags = 8
>>>
>>>
>>>
>>>
>>>> Do you have entries for kdc and kpasswd in the
>>>>KSETUP
>>>> configuration?
>>>>
>>>>
>>>
>>>kdc yes, kpasswd no. Is it necessary to have
>>
>>kpasswd ?
>>
>>>I have no problem changing the password when it's
>>
>>not
>>
>>>expired yet.
>>>
>>>
>>>
>>>
>>>> If yes, do they map to valid DNS addresses?
>>>>
>>>> Are those addresses reachable?
>>>>
>>>>
>>>
>>>Well, I set up a DNS server on a win2k server, and
>>
>>I'm
>>
>>>able to ping kerberos.adianto.com from the win2k
>>
>>prof
>>
>>>client.
>>>
>>>
>>>
>>>
>>>>Windows will only try the first address returned
>>
>>for
>>
>>>>each name.
>>>>If you are using an alias name pointing to
>>
>>multiple
>>
>>>>servers and
>>>>one of the servers is not reachable, you will
>>
>>fail.
>>
>>>>UDP is tried before TCP but TCP will be used if
>>
>>the
>>
>>>>tickets are
>>>>too large.
>>>>
>>>>
>>>
>>>I don't have alias name in my DNS. Mmm, I have no
>>
>>idea
>>
>>>why it does CLDAP request. Any clue why this
>>
>>happened
>>
>>>?
>>>
>>>Thanks again before. You have been really helpful
>>
>>to
>>
>>>me in the process of understanding this whole new
>>>concept.
>>>
>>>regards,
>>>-lara-
>>>
>>>
>>>
>>>
>>>>Lara Adianto wrote:
>>>>
>>>>
>>>>
>>>>>hello everybody,
>>>>>
>>>>>I've posted this question a few weeks ago, but no
>>>>>
>>>>>
>>>>
>>>>one
>>>>
>>>>
>>>>
>>>>>replied, and *sigh*, I'm stil stucked.
>>>>>
>>>>>Scenario:
>>>>>Win2k client authenticates to MIT KDC
>>>>>
>>>>>Problem:
>>>>>When the user's password is expired, windows will
>>>>>prompt user with new password. However, change
>>>>>password failed because domain MIT.REALM.COM
>>>>>
>>>>>
>>>>
>>>>cannot be
>>>>
>>>>
>>>>
>>>>>found.
>>>>>
>>>>>>From ethereal, I can see that the win2k client
>>>>>
>>>>>
>>>>
>>>>does a
>>>>
>>>>
>>>>
>>>>>CLDAP request, with filter: (&(DnsDomain =
>>>>>MIT.REALM.COM)(Host=win2k_machine)(NtVer=\006).
>>>>>
>>>>>
>>>>
>>>>Since
>>>>
>>>>
>>>>
>>>>>this is not successful, it does IPX request and
>>>>>
>>>>>
>>>>
>>>>then
>>>>
>>>>
>>>>
>>>>>NBNS for domain MIT.REALM.COM.
>>>>>
>>>>>How can I resolve this problem ?
>>>>>1. Should I setup a MS-CLDAP server on a
>>
>>w2kserver
>>
>>>>>(which is not my KDC), or can I use openldap with
>>>>>--enable-cldap (anyone ever tried this ?) ?
>>>>>2. Is there any better and easier way than
>>
>>setting
>>
>>>>>
>>>>>
>>>>
>>>>up
>>>>
>>>>
>>>>
>>>>>the CLDAP server ? WINS ?
>>>>>
>>>>>regards,
>>>>>lara
>>>>>
>>>>>=====
>>>>>
>>>>>
>>>>>
>>
>>------------------------------------------------------------------------------------
>>
>>>
>>>
>>>
>>>>>La vie, voyez-vous, ca n'est jamais si bon ni si
>>>>>
>>>>>
>>>>
>>>>mauvais qu'on croit
>>>>
>>>>
>>>>
>>>>>
>>
>>>>>
>>>>>
>>>>
>>>> - Guy de Maupassant -
>>>>
>>>>
>>
>>------------------------------------------------------------------------------------
>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>__________________________________
>>>>>Do you Yahoo!?
>>>>>New and Improved Yahoo! Mail - 100MB free
>>
>>storage!
>>
>>>>>http://promotions.yahoo.com/new_mail
>>>>>________________________________________________
>>>>>Kerberos mailing list Kerberos at mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>>
>>>>>
>>>>
>>>>--
>>>>-----------------
>>>>This e-mail account is not read on a regular
>>
>>basis.
>>
>
> === message truncated ===
>
>
>>ATTACHMENT part 2 application/x-pkcs7-signature
>
> name=smime.p7s
>
>
>
> =====
> ------------------------------------------------------------------------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
> - Guy de Maupassant -
> ------------------------------------------------------------------------------------
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list