Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock brocka at sterlingcgi.com
Tue Sep 4 22:48:21 EDT 2007


> -----Original Message-----
> Anthony Brock <brocka at sterlingcgi.com> wrote:
> > I have created several cross-realm trusts on a test server. At this
> > point, nearly everything is working properly. However, users are
> > unable to change their passwords unless their account is in the
> > initial domain. Users see the following when attempting it from the
> > initial domain:
> >
> > # kpasswd
> > Password for brocka at SCGROUP.ORG:
> > Enter new password:
> > Enter it again:
> > Password changed.
> > #
> >
> > Unfortunately, following happens for additional domains:
> >
> > # kpasswd
> > Password for brocka at STERLINGCGI.COM:
> > Enter new password:
> > Enter it again:
> > Authentication error: Failed reading application request
> > #
>
> What happens if you run:
> kpasswd user at REALM
> and manually specify the realm name where the user account is at?
> so in your case, try running:
> kpasswd brocka at SCGROUP.ORG
> on the above machine where you were prompted for brocka at STERLINGCGI.COM
> credentials.

# kpasswd brocka at SCGROUP.ORG
Password for brocka at SCGROUP.ORG:
Enter new password:
Enter it again:
Password changed.
#

It works for the @SCGROUP.ORG domain (the initial realm). Here is the
results of the same with the @STERLINGCGI.COM realm:

# kpasswd brocka at STERLINGCGI.COM
Password for brocka at STERLINGCGI.COM:
Enter new password:
Enter it again:
Authentication error: Failed reading application request
#

> Additionally, are you behind a NAT when kpasswd fails?

No, the entire network is on a single, private IP address range. In fact,
I'm trying these particular commands on the same host that kadmind is
running on. However, the behavior is identical from a remote host.

Tony




More information about the Kerberos mailing list