Solaris 10 client, MIT 1.6 server, kpasswd command

Christopher D. Clausen cclausen at
Sun Dec 7 23:04:54 EST 2008

Edward Irvine <eirvine at> wrote:
> Has anyone else had trouble changing passwords from a Solaris client?
> I'm using the Solaris 10 version of kpasswd:
> /bin/kpasswd unsername
> kpasswd: Changing password for username at EXAMPLE.COM.
> Old password: <secrret>
> kpasswd: Cannot establis a session with the Kerberos administrative
> server for realm EXAMPLE.COM. Database error! Required KADM5
> principal missing.
> This works fine when I use the MIT Kerberos version of kpasswd.


krb5.conf -> kpasswd_protocol option:

Identifies the protocol to be used when communicating with the server 
indicated by kpasswd_server. By default, this parameter is defined to be 
RPCSEC_GSS, which is the protocol used by Solaris-based administration 
servers. To be able to change a principal's password stored on 
non-Solaris Kerberos server, such as Microsoft Active Directory or MIT 
Kerberos, this value should be SET_CHANGE. This indicates that a 
non-RPC- based protocol is used to communicate the password change 
request to the server in the kpasswd_server entry.


More information about the Kerberos mailing list