change password expired because domain is not found
Jeffrey Altman
jaltman2 at nyc.rr.com
Mon Jun 28 09:51:48 EDT 2004
According to a contact at Microsoft, this is a bug in Win2000's winlogin.exe
which will not be fixed. Instead users should enter their login name as
lara at ADIANTO.COM
or upgrade to XP. This should be published as a Knowledgebase
article soon.
Jeffrey Altman
Lara Adianto wrote:
>I've added kpasswd using ksetup:
>C:/>ksetup
>default realm = ADIANTO.COM <external>
>ADIANTO.COM:
> kdc = kerberos.adianto.com
> kpasswd = kerberos.adianto.com
>Mapping lara at ADIANTO.COM to lara
>But it didn't work.
>
>I've changed the DNS server (from Win2k server to
>linux), and added _kpasswd._udp.ADIANTO.COM, but it
>didn't work as well...
>
>This is what happened (as captured by ethereal):
>1. AS-REQ from win client (Testw2k8) to MIT KDC
>2. KRB-ERR from MIT KDC to client (Testw2k8) that key
>is expired
>3. DNS query from win client to DNS server for
>_ldap._tcp.dc._msdcs.ADIANTO.COM type SRV class inet
>(why did it query for msdcs ???, I added the entry
>finally, but it still didn't work out )
>4. CLDAP query from client to DNS server with
>Filter(&(DnsDomain = ADIANTO.COM)(Host =
>Testw2k8)(NtVer=\006) attr=NetLogon
>5. NBIPX: Find name ADIANTO.COM
>6. NBNS: Name query NB ADIANTO.COM
>7. NetLogon: Query for PDC from Testw2k8
>
>Where did it go wrong ?
>
>This is my Dns entries:
>;
>; Zone file for adianto.com
>;
>; The full zone file
>;
>$TTL 3D
>@ IN SOA kserver.adianto.com.
>hostmaster.adianto.com. (
> 199802151 ; serial,
>todays date + todays serial #
> 8H ; refresh,
>seconds
> 2H ; retry,
>seconds
> 4W ; expire,
>seconds
> 1D ) ; minimum,
>seconds
>;
> NS kserver ; Inet Address
>of name server
>;
>localhost A 127.0.0.1
>kerberos A 192.168.168.106
>testw2k8 A 192.168.168.94
>;
>; Master setup
>_kerberos._udp IN SRV 0 0 88
>kerberos.adianto.com.
>_kerberos._tcp IN SRV 0 0 88
>kerberos.adianto.com.
>_kpasswd._udp IN SRV 0 0 464
>kerberos.adianto.com.
>_ldap._tcp.dc._msdcs IN SRV 0 0 389
>kerberos.adianto.com.
>;
>; Round-robin setup
>_kerberos._udp IN SRV 0 0 88
>kerberos
>
>regards,
>lara
>
>--- Jeffrey Altman <jaltman at columbia.edu> wrote:
>
>
>>Define the kpasswd entries with KSETUP or add
>>_kpasswd._udp.<realm> SRV
>>records
>>to DNS. Otherwise, Windows is probably using LDAP
>>to try to find the
>>change password
>>service.
>>
>>
>>
>>Lara Adianto wrote:
>>
>>
>>
>>>--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
>>>
>>>
>>>
>>>
>>>>MIT.REALM.COM is an external realm.
>>>>
>>>>
>>>>
>>>>
>>>Yes, I'm authenticating windows machine to a
>>>non-windows KDC
>>>
>>>
>>>
>>>
>>>
>>>>External realms are not searched for using LDAP.
>>>>Once again:
>>>>
>>>> What is the configuration of the machine with
>>>>KSETUP?
>>>>
>>>>
>>>>
>>>>
>>>default realm = ADIANTO.COM <external>
>>>ADIANTO.COM:
>>> kdc = kerberos.adianto.com
>>>Mapping lara at ADIANTO.COM to lara
>>>
>>>I also added: RealmFlags = 8
>>>
>>>
>>>
>>>
>>>
>>>> Do you have entries for kdc and kpasswd in the
>>>>KSETUP
>>>> configuration?
>>>>
>>>>
>>>>
>>>>
>>>kdc yes, kpasswd no. Is it necessary to have
>>>
>>>
>>kpasswd ?
>>
>>
>>>I have no problem changing the password when it's
>>>
>>>
>>not
>>
>>
>>>expired yet.
>>>
>>>
>>>
>>>
>>>
>>>> If yes, do they map to valid DNS addresses?
>>>>
>>>> Are those addresses reachable?
>>>>
>>>>
>>>>
>>>>
>>>Well, I set up a DNS server on a win2k server, and
>>>
>>>
>>I'm
>>
>>
>>>able to ping kerberos.adianto.com from the win2k
>>>
>>>
>>prof
>>
>>
>>>client.
>>>
>>>
>>>
>>>
>>>
>>>>Windows will only try the first address returned
>>>>
>>>>
>>for
>>
>>
>>>>each name.
>>>>If you are using an alias name pointing to
>>>>
>>>>
>>multiple
>>
>>
>>>>servers and
>>>>one of the servers is not reachable, you will
>>>>
>>>>
>>fail.
>>
>>
>>>>UDP is tried before TCP but TCP will be used if
>>>>
>>>>
>>the
>>
>>
>>>>tickets are
>>>>too large.
>>>>
>>>>
>>>>
>>>>
>>>I don't have alias name in my DNS. Mmm, I have no
>>>
>>>
>>idea
>>
>>
>>>why it does CLDAP request. Any clue why this
>>>
>>>
>>happened
>>
>>
>>>?
>>>
>>>Thanks again before. You have been really helpful
>>>
>>>
>>to
>>
>>
>>>me in the process of understanding this whole new
>>>concept.
>>>
>>>regards,
>>>-lara-
>>>
>>>
>>>
>>>
>>>
>>>>Lara Adianto wrote:
>>>>
>>>>
>>>>
>>>>
>>>>>hello everybody,
>>>>>
>>>>>I've posted this question a few weeks ago, but no
>>>>>
>>>>>
>>>>>
>>>>>
>>>>one
>>>>
>>>>
>>>>
>>>>
>>>>>replied, and *sigh*, I'm stil stucked.
>>>>>
>>>>>Scenario:
>>>>>Win2k client authenticates to MIT KDC
>>>>>
>>>>>Problem:
>>>>>When the user's password is expired, windows will
>>>>>prompt user with new password. However, change
>>>>>password failed because domain MIT.REALM.COM
>>>>>
>>>>>
>>>>>
>>>>>
>>>>cannot be
>>>>
>>>>
>>>>
>>>>
>>>>>found.
>>>>>
>>>>>>From ethereal, I can see that the win2k client
>>>>>
>>>>>
>>>>>
>>>>>
>>>>does a
>>>>
>>>>
>>>>
>>>>
>>>>>CLDAP request, with filter: (&(DnsDomain =
>>>>>MIT.REALM.COM)(Host=win2k_machine)(NtVer=\006).
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Since
>>>>
>>>>
>>>>
>>>>
>>>>>this is not successful, it does IPX request and
>>>>>
>>>>>
>>>>>
>>>>>
>>>>then
>>>>
>>>>
>>>>
>>>>
>>>>>NBNS for domain MIT.REALM.COM.
>>>>>
>>>>>How can I resolve this problem ?
>>>>>1. Should I setup a MS-CLDAP server on a
>>>>>
>>>>>
>>w2kserver
>>
>>
>>>>>(which is not my KDC), or can I use openldap with
>>>>>--enable-cldap (anyone ever tried this ?) ?
>>>>>2. Is there any better and easier way than
>>>>>
>>>>>
>>setting
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>up
>>>>
>>>>
>>>>
>>>>
>>>>>the CLDAP server ? WINS ?
>>>>>
>>>>>regards,
>>>>>lara
>>>>>
>>>>>=====
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>------------------------------------------------------------------------------------
>>
>>
>>>
>>>
>>>
>>>
>>>>>La vie, voyez-vous, ca n'est jamais si bon ni si
>>>>>
>>>>>
>>>>>
>>>>>
>>>>mauvais qu'on croit
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> - Guy de Maupassant -
>>>>
>>>>
>>>>
>>>>
>>------------------------------------------------------------------------------------
>>
>>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>__________________________________
>>>>>Do you Yahoo!?
>>>>>New and Improved Yahoo! Mail - 100MB free
>>>>>
>>>>>
>>storage!
>>
>>
>>>>>http://promotions.yahoo.com/new_mail
>>>>>________________________________________________
>>>>>Kerberos mailing list Kerberos at mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>--
>>>>-----------------
>>>>This e-mail account is not read on a regular
>>>>
>>>>
>>basis.
>>
>>
>>
>=== message truncated ===
>
>
>
>>ATTACHMENT part 2 application/x-pkcs7-signature
>>
>>
>name=smime.p7s
>
>
>
>=====
>------------------------------------------------------------------------------------
>La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
> - Guy de Maupassant -
>------------------------------------------------------------------------------------
>
>
>
>
>__________________________________
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
>http://promotions.yahoo.com/new_mail
>
>
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list