computer account change password with Windows 2008 domain

Douglas E. Engert deengert at anl.gov
Wed Apr 8 17:11:58 EDT 2009


I have run it to a similar problem in the last two day, as we have some W2008 DCs
and some W2003 DCs. The msktutil program to add computer accounts and create keytab
files then change the password uses the krb5_set_password_using_ccache  with the
admin creds and the change_password_for set to the principal of the machine.

This is the same method used by the MIT ksetpwd command that is bbuilt but
not installed.

Both the ksetpwd and msktutil fail with an error of 3 "Autnenticatrion Error"
to W2008 DCs but work on W2003 DCs.

But if instead of the host/fqdn at realm as  the principal,
I can use samAccountName  (without the $) and it will change the password.

So can you try the kpasswd with the account name?

I think this is a known bug in W2008, but have not tracked down the hotfix if any yet.

This may have something to do with with smart card support in W2008, where
the userPrincipalName is now being used to match what is in the
UPN of a certificate and it does not have to be in the local realm!


sanjayk.cse at gmail.com wrote:
> I have migrated from  Windows 2003 AD server   to Windows 2008 AD
> server.
>      With Windows 2003 AD , every thing is working fine . With the
> Windows 2008 AD server   I am getting "KRB5_KPASSWD_AUTHERROR"
> error   in reply of KPASSWD .
>               I had earlier heimdal0.6  . I learn that heimdal 1.2  is
> compatible with  windows2008/vista . I integrated the  heimdal 1.2 .
> but no improvement  .Have some  experience the similar kind of issue?
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list