Password Changing failing from Windows to MIT KDC

Mike Friedman mikef at ack.Berkeley.EDU
Fri Sep 2 12:50:33 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 Aug 2005 at 02:45 (-0000), Jeffrey Altman wrote:

> I can verify that there is a problem although I cannot determine at the 
> moment what the source of it is.  What is the most recent version of KFW 
> that you are aware works?

Jeffrey,

Further investigation by my Windows colleagues appears to reveal that 
password changing fails only when issued from a NAT'ed private IP address. 
This is true both for KfW and for native Windows Kerberos password 
changing.

But this problem has apparently existed for some time with admin functions 
in general (e.g., kadmin) and not only from Windows systems.

So, as it stands, we have no evidence of a new problem either with recent 
KfW releases or with a current version of the KDC.

Is the problem that you say you can verify perhaps also related to NAT'ed 
private IP addresses?

Mike

=========================================================================
> Mike Friedman wrote:
>
>> I posted on this a few days ago but haven't received any replies, so I 
>> figure it may have fallen through the cracks.
>>
>> It seems that with the current release of KfW, password changing fails 
>> to either a 1.3.4 or 1.4.2 KDC.  Yet, earlier versions of KfW don't 
>> have this problem.  Similarly with Windows native Kerberos password 
>> changing.  I haven't done testing of the latter myself, but a colleague 
>> who works on Windows has.
>>
>> The message he receives is this:
>>
>>    Server error: Failed decrypting request
>>
>> The KDC logs show a successful issuing of the kadmin/changepw service 
>> credential, but no further action indicating a change password 
>> transaction.
>>
>> I suspected a client host firewall problem (re: UDP 464), but the 
>> problem continues even with no firewall rules in place.
>>
>> Has something changed with the new versions of KfW?
>>
>> Thanks.
>>
>> Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQxiC3K0bf1iNr4mCEQKgMACfUxcz33s0kZF2e9PnP8jvbAvB2QcAoPuo
JueMbogEsfXG7dAIEhsZ7k3R
=t4w9
-----END PGP SIGNATURE-----


More information about the Kerberos mailing list