Password Expiration, winXP client

Detlefs, David dhd at umich.edu
Tue May 4 13:34:33 EDT 2004 

Does an "expired kerberos password" refer to the MIT realm or Windows
domain password.  If it is the Windows domain password, the situation
you describe is familiar.  In that case, I believe the only solution is
to turn off password expiration in the Windows domain.  We consulted
with Microsoft on this issue years ago, and they claimed that the client
could not be modified to fix the problem, since when logging on via
"pass-through" authentication, any attempt to change the password on
Windows will change the password in the MIT realm, not the Windows
domain password.  You could encourage users to change their passwords by
querying AD, and sending letters, disabling accounts, etc.

Dave Detlefs
University of Michigan

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of William G. Zereneh
Sent: Monday, May 03, 2004 3:45 PM
To: Kerberos
Subject: Password Expiration, winXP client

The Situation:

Window XP Client will not allow users with expired kerberos password to
login; complains password expired, prompt for password change then says
Domain is not available.

The setup is as follow:

Windows 2000 domain controller with established trust relation between
MIT Kerberos realm (xxx.xxxxxxx.ca) and Windows 2k SP4 Domain
(ms.xxx.xxxxxxx.ca); pass-thru authentication; all windows users have
their account mapped to their Kerberos principle; Windows XP Clients SP1
and part of the ms.xxx.xxxxxxx.ca domain; login to the kerberos realm
with none expired password works just fine, password can be changed
after successful login; access to the entire domain is granted including
printing to a samba printserver and a netapp filer.


I have been sniffing the traffic between:

1. Windows XP Client
2. Windows 2k Domain controller (ms.xxx.xxxxxxx.ca) 3. kadmin,kdc server
(kdc.xxx.xxxxxxx.ca)

The results:

1. I login to Windows XP Client with an expired kerberos password
Windows XP client sends AS-REQ to kdc.xxx.xxxxxxx.ca

2. kdc.xxx.xxxxxxx.ca send KRB5KDC_ERR_KEY_EXP

3. Windows Client send CLDAP to kdc.xxx.xxxxxxx.ca asking for
information about Domain: XXX.XXXXXXX.CA and Host: "Windows Client
machine"

4. kdc.xxx.xxxxxxx.ca is a solaris box replies with dest not found.

5. client sends NetBiosNS request to the domain controllers for
information about XXX.XXXXXXX.CA domain; reply is negative

6. Client sends out DNS request for SRV records *.Default-First-Name.*,
*dc._msdc.*; reply is negative.

7. Finally it decided that the Domain Controller for XXX.XXXXXXX.CA is
not available to change password.

I guess the client thinks it's dealing with another Windows Domain
Controller?!

Any idea what the client is looking for? especially when it has the
kpasswd entry in it's own registry that points to the kadmind server.

I have been getting a lot of help from "Jeffrey Altman" (Thanks again)
and wondering if anybody can shed more light on this problem.


--
William G. Zereneh <zereneh at scs.ryerson.ca> Ryerson University

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list