Password Changing failing from Windows to MIT KDC
Mike Friedman
mikef at ack.Berkeley.EDU
Fri Sep 2 12:50:33 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 23 Aug 2005 at 02:45 (-0000), Jeffrey Altman wrote:
> I can verify that there is a problem although I cannot determine at the
> moment what the source of it is. What is the most recent version of KFW
> that you are aware works?
Jeffrey,
Further investigation by my Windows colleagues appears to reveal that
password changing fails only when issued from a NAT'ed private IP address.
This is true both for KfW and for native Windows Kerberos password
changing.
But this problem has apparently existed for some time with admin functions
in general (e.g., kadmin) and not only from Windows systems.
So, as it stands, we have no evidence of a new problem either with recent
KfW releases or with a current version of the KDC.
Is the problem that you say you can verify perhaps also related to NAT'ed
private IP addresses?
Mike
=========================================================================
> Mike Friedman wrote:
>
>> I posted on this a few days ago but haven't received any replies, so I
>> figure it may have fallen through the cracks.
>>
>> It seems that with the current release of KfW, password changing fails
>> to either a 1.3.4 or 1.4.2 KDC. Yet, earlier versions of KfW don't
>> have this problem. Similarly with Windows native Kerberos password
>> changing. I haven't done testing of the latter myself, but a colleague
>> who works on Windows has.
>>
>> The message he receives is this:
>>
>> Server error: Failed decrypting request
>>
>> The KDC logs show a successful issuing of the kadmin/changepw service
>> credential, but no further action indicating a change password
>> transaction.
>>
>> I suspected a client host firewall problem (re: UDP 464), but the
>> problem continues even with no firewall rules in place.
>>
>> Has something changed with the new versions of KfW?
>>
>> Thanks.
>>
>> Mike
_____________________________________________________________________
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
_____________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBQxiC3K0bf1iNr4mCEQKgMACfUxcz33s0kZF2e9PnP8jvbAvB2QcAoPuo
JueMbogEsfXG7dAIEhsZ7k3R
=t4w9
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list