Password Expiration, winXP client
William G. Zereneh
zereneh at scs.ryerson.ca
Tue May 4 14:10:18 EDT 2004
"expired kerberos password" refers to the MIT realm.
users are allowed to login to the MIT kerberos realm ONLY.
On Tue, 2004-05-04 at 13:34, Detlefs, David wrote:
> Does an "expired kerberos password" refer to the MIT realm or Windows
> domain password. If it is the Windows domain password, the situation
> you describe is familiar. In that case, I believe the only solution is
> to turn off password expiration in the Windows domain. We consulted
> with Microsoft on this issue years ago, and they claimed that the client
> could not be modified to fix the problem, since when logging on via
> "pass-through" authentication, any attempt to change the password on
> Windows will change the password in the MIT realm, not the Windows
> domain password. You could encourage users to change their passwords by
> querying AD, and sending letters, disabling accounts, etc.
>
> Dave Detlefs
> University of Michigan
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of William G. Zereneh
> Sent: Monday, May 03, 2004 3:45 PM
> To: Kerberos
> Subject: Password Expiration, winXP client
>
> The Situation:
>
> Window XP Client will not allow users with expired kerberos password to
> login; complains password expired, prompt for password change then says
> Domain is not available.
>
> The setup is as follow:
>
> Windows 2000 domain controller with established trust relation between
> MIT Kerberos realm (xxx.xxxxxxx.ca) and Windows 2k SP4 Domain
> (ms.xxx.xxxxxxx.ca); pass-thru authentication; all windows users have
> their account mapped to their Kerberos principle; Windows XP Clients SP1
> and part of the ms.xxx.xxxxxxx.ca domain; login to the kerberos realm
> with none expired password works just fine, password can be changed
> after successful login; access to the entire domain is granted including
> printing to a samba printserver and a netapp filer.
>
>
> I have been sniffing the traffic between:
>
> 1. Windows XP Client
> 2. Windows 2k Domain controller (ms.xxx.xxxxxxx.ca) 3. kadmin,kdc server
> (kdc.xxx.xxxxxxx.ca)
>
> The results:
>
> 1. I login to Windows XP Client with an expired kerberos password
> Windows XP client sends AS-REQ to kdc.xxx.xxxxxxx.ca
>
> 2. kdc.xxx.xxxxxxx.ca send KRB5KDC_ERR_KEY_EXP
>
> 3. Windows Client send CLDAP to kdc.xxx.xxxxxxx.ca asking for
> information about Domain: XXX.XXXXXXX.CA and Host: "Windows Client
> machine"
>
> 4. kdc.xxx.xxxxxxx.ca is a solaris box replies with dest not found.
>
> 5. client sends NetBiosNS request to the domain controllers for
> information about XXX.XXXXXXX.CA domain; reply is negative
>
> 6. Client sends out DNS request for SRV records *.Default-First-Name.*,
> *dc._msdc.*; reply is negative.
>
> 7. Finally it decided that the Domain Controller for XXX.XXXXXXX.CA is
> not available to change password.
>
> I guess the client thinks it's dealing with another Windows Domain
> Controller?!
>
> Any idea what the client is looking for? especially when it has the
> kpasswd entry in it's own registry that points to the kadmind server.
>
> I have been getting a lot of help from "Jeffrey Altman" (Thanks again)
> and wondering if anybody can shed more light on this problem.
>
>
> --
> William G. Zereneh <zereneh at scs.ryerson.ca> Ryerson University
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
William G. Zereneh <zereneh at scs.ryerson.ca>
Ryerson University
More information about the Kerberos
mailing list