Password Expiration, winXP client

William G. Zereneh zereneh at scs.ryerson.ca
Mon May 3 15:44:34 EDT 2004


The Situation:

Window XP Client will not allow users with expired kerberos password to login;
complains password expired, prompt for password change then says Domain
is not available.

The setup is as follow:

Windows 2000 domain controller with established trust relation between MIT Kerberos
realm (xxx.xxxxxxx.ca) and Windows 2k SP4 Domain (ms.xxx.xxxxxxx.ca); pass-thru authentication;
all windows users have their account mapped to their Kerberos principle; Windows XP 
Clients SP1 and part of the ms.xxx.xxxxxxx.ca domain; login to the kerberos realm with none expired password works 
just fine, password can be changed after successful login; access to the entire domain is 
granted including printing to a samba printserver and a netapp filer.


I have been sniffing the traffic between:

1. Windows XP Client
2. Windows 2k Domain controller (ms.xxx.xxxxxxx.ca)
3. kadmin,kdc server (kdc.xxx.xxxxxxx.ca)

The results:

1. I login to Windows XP Client with an expired kerberos password
Windows XP client sends AS-REQ to kdc.xxx.xxxxxxx.ca

2. kdc.xxx.xxxxxxx.ca send KRB5KDC_ERR_KEY_EXP

3. Windows Client send CLDAP to kdc.xxx.xxxxxxx.ca asking for
information about Domain: XXX.XXXXXXX.CA and Host: "Windows Client
machine"

4. kdc.xxx.xxxxxxx.ca is a solaris box replies with dest not found.

5. client sends NetBiosNS request to the domain controllers for
information about XXX.XXXXXXX.CA domain; reply is negative

6. Client sends out DNS request for SRV records *.Default-First-Name.*,
*dc._msdc.*; reply is negative.

7. Finally it decided that the Domain Controller for XXX.XXXXXXX.CA is
not available to change password.

I guess the client thinks it's dealing with another Windows Domain
Controller?!

Any idea what the client is looking for? especially when it has the
kpasswd entry in it's own registry that points to the kadmind server.

I have been getting a lot of help from "Jeffrey Altman" (Thanks again)
and wondering if anybody can shed more light on this problem.


-- 
William G. Zereneh <zereneh at scs.ryerson.ca>
Ryerson University



More information about the Kerberos mailing list