change password expired because domain is not found

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Jun 28 09:51:48 EDT 2004


According to a contact at Microsoft, this is a bug in Win2000's winlogin.exe
 which will not be fixed.  Instead users should enter their login name as

    lara at ADIANTO.COM

or upgrade to XP.   This should be published as a Knowledgebase
article soon.

Jeffrey Altman

Lara Adianto wrote:

>I've added kpasswd using ksetup:
>C:/>ksetup
>default realm = ADIANTO.COM <external>
>ADIANTO.COM:
>    kdc = kerberos.adianto.com
>    kpasswd = kerberos.adianto.com
>Mapping lara at ADIANTO.COM to lara
>But it didn't work.
>
>I've changed the DNS server (from Win2k server to
>linux), and added _kpasswd._udp.ADIANTO.COM, but it
>didn't work as well...
>
>This is what happened (as captured by ethereal):
>1. AS-REQ from win client (Testw2k8) to MIT KDC
>2. KRB-ERR from MIT KDC to client (Testw2k8) that key
>is expired
>3. DNS query from win client to DNS server for
>_ldap._tcp.dc._msdcs.ADIANTO.COM type SRV class inet
>(why did it query for msdcs ???, I added the entry
>finally, but it still didn't work out )
>4. CLDAP query from client to DNS server with
>Filter(&(DnsDomain = ADIANTO.COM)(Host =
>Testw2k8)(NtVer=\006) attr=NetLogon
>5. NBIPX: Find name ADIANTO.COM
>6. NBNS: Name query NB ADIANTO.COM
>7. NetLogon: Query for PDC from Testw2k8
>
>Where did it go wrong ?
>
>This is my Dns entries:
>;
>; Zone file for adianto.com
>;
>; The full zone file
>;
>$TTL 3D
>@       IN      SOA     kserver.adianto.com.
>hostmaster.adianto.com. (
>                        199802151       ; serial,
>todays date + todays serial #
>                        8H              ; refresh,
>seconds
>                        2H              ; retry,
>seconds
>                        4W              ; expire,
>seconds
>                        1D )            ; minimum,
>seconds
>;
>                NS      kserver         ; Inet Address
>of name server
>;
>localhost       A       127.0.0.1
>kerberos        A       192.168.168.106
>testw2k8        A       192.168.168.94
>;
>; Master setup
>_kerberos._udp          IN      SRV     0 0 88
>kerberos.adianto.com.
>_kerberos._tcp          IN      SRV     0 0 88
>kerberos.adianto.com.
>_kpasswd._udp           IN      SRV     0 0 464
>kerberos.adianto.com.
>_ldap._tcp.dc._msdcs    IN      SRV     0 0 389
>kerberos.adianto.com.
>;
>; Round-robin setup
>_kerberos._udp          IN      SRV     0 0 88
>kerberos
>
>regards,
>lara
>
>--- Jeffrey Altman <jaltman at columbia.edu> wrote:
>  
>
>>Define the kpasswd entries with KSETUP or add
>>_kpasswd._udp.<realm> SRV  
>>records
>>to DNS.  Otherwise, Windows is probably using LDAP
>>to try to find the 
>>change password
>>service.
>>
>>
>>
>>Lara Adianto wrote:
>>
>>    
>>
>>>--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
>>> 
>>>
>>>      
>>>
>>>>MIT.REALM.COM is an external realm.
>>>>   
>>>>
>>>>        
>>>>
>>>Yes, I'm authenticating windows machine to a
>>>non-windows KDC
>>>
>>> 
>>>
>>>      
>>>
>>>>External realms are not searched for using LDAP.
>>>>Once again:
>>>>
>>>>	What is the configuration of the machine with
>>>>KSETUP?
>>>>   
>>>>
>>>>        
>>>>
>>>default realm = ADIANTO.COM <external>
>>>ADIANTO.COM:
>>>       kdc = kerberos.adianto.com
>>>Mapping lara at ADIANTO.COM to lara
>>>
>>>I also added: RealmFlags = 8
>>>
>>> 
>>>
>>>      
>>>
>>>>	Do you have entries for kdc and kpasswd in the
>>>>KSETUP 		
>>>>	configuration?
>>>>   
>>>>
>>>>        
>>>>
>>>kdc yes, kpasswd no. Is it necessary to have
>>>      
>>>
>>kpasswd ?
>>    
>>
>>>I have no problem changing the password when it's
>>>      
>>>
>>not
>>    
>>
>>>expired yet.
>>>
>>> 
>>>
>>>      
>>>
>>>>	If yes, do they map to valid DNS addresses?
>>>>
>>>>	Are those addresses reachable?
>>>>   
>>>>
>>>>        
>>>>
>>>Well, I set up a DNS server on a win2k server, and
>>>      
>>>
>>I'm
>>    
>>
>>>able to ping kerberos.adianto.com from the win2k
>>>      
>>>
>>prof
>>    
>>
>>>client.
>>>
>>> 
>>>
>>>      
>>>
>>>>Windows will only try the first address returned
>>>>        
>>>>
>>for
>>    
>>
>>>>each name.
>>>>If you are using an alias name pointing to
>>>>        
>>>>
>>multiple
>>    
>>
>>>>servers and
>>>>one of the servers is not reachable, you will
>>>>        
>>>>
>>fail.
>>    
>>
>>>>UDP is tried before TCP but TCP will be used if
>>>>        
>>>>
>>the
>>    
>>
>>>>tickets are
>>>>too large.
>>>>   
>>>>
>>>>        
>>>>
>>>I don't have alias name in my DNS. Mmm, I have no
>>>      
>>>
>>idea
>>    
>>
>>>why it does CLDAP request. Any clue why this
>>>      
>>>
>>happened
>>    
>>
>>>?
>>>
>>>Thanks again before. You have been really helpful
>>>      
>>>
>>to
>>    
>>
>>>me  in the process of understanding this whole new
>>>concept.
>>>
>>>regards,
>>>-lara-
>>>
>>> 
>>>
>>>      
>>>
>>>>Lara Adianto wrote:
>>>>   
>>>>
>>>>        
>>>>
>>>>>hello everybody,
>>>>>
>>>>>I've posted this question a few weeks ago, but no
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>one
>>>>   
>>>>
>>>>        
>>>>
>>>>>replied, and *sigh*, I'm stil stucked.
>>>>>
>>>>>Scenario:
>>>>>Win2k client authenticates to MIT KDC
>>>>>
>>>>>Problem:
>>>>>When the user's password is expired, windows will
>>>>>prompt user with new password. However, change
>>>>>password failed because domain MIT.REALM.COM
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>cannot be
>>>>   
>>>>
>>>>        
>>>>
>>>>>found.
>>>>>
>>>>>>From ethereal, I can see that the win2k client
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>does a
>>>>   
>>>>
>>>>        
>>>>
>>>>>CLDAP request, with filter: (&(DnsDomain =
>>>>>MIT.REALM.COM)(Host=win2k_machine)(NtVer=\006).
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>Since
>>>>   
>>>>
>>>>        
>>>>
>>>>>this is not successful, it does IPX request and
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>then
>>>>   
>>>>
>>>>        
>>>>
>>>>>NBNS for domain MIT.REALM.COM.
>>>>>
>>>>>How can I resolve this problem ?
>>>>>1. Should I setup a MS-CLDAP server on a
>>>>>          
>>>>>
>>w2kserver
>>    
>>
>>>>>(which is not my KDC), or can I use openldap with
>>>>>--enable-cldap (anyone ever tried this ?) ? 
>>>>>2. Is there any better and easier way than
>>>>>          
>>>>>
>>setting
>>    
>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>up
>>>>   
>>>>
>>>>        
>>>>
>>>>>the CLDAP server ? WINS ? 
>>>>>
>>>>>regards,
>>>>>lara
>>>>>
>>>>>=====
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>------------------------------------------------------------------------------------
>>    
>>
>>> 
>>>
>>>      
>>>
>>>>>La vie, voyez-vous, ca n'est jamais si bon ni si
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>mauvais qu'on croit
>>>>   
>>>>
>>>>        
>>>>
>>>>>                                                
>>>>>          
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>                    - Guy de Maupassant -
>>>>   
>>>>
>>>>        
>>>>
>>------------------------------------------------------------------------------------
>>    
>>
>>> 
>>>
>>>      
>>>
>>>>>	
>>>>>		
>>>>>__________________________________
>>>>>Do you Yahoo!?
>>>>>New and Improved Yahoo! Mail - 100MB free
>>>>>          
>>>>>
>>storage!
>>    
>>
>>>>>http://promotions.yahoo.com/new_mail 
>>>>>________________________________________________
>>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>-- 
>>>>-----------------
>>>>This e-mail account is not read on a regular
>>>>        
>>>>
>>basis.
>>
>>    
>>
>=== message truncated ===
>
>  
>
>>ATTACHMENT part 2 application/x-pkcs7-signature
>>    
>>
>name=smime.p7s
>
>
>
>=====
>------------------------------------------------------------------------------------ 
>La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                        - Guy de Maupassant -
>------------------------------------------------------------------------------------
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
>http://promotions.yahoo.com/new_mail 
>  
>

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu




More information about the Kerberos mailing list