computer account change password with Windows 2008 domain
Douglas E. Engert
deengert at anl.gov
Wed Apr 8 17:11:58 EDT 2009
I have run it to a similar problem in the last two day, as we have some W2008 DCs
and some W2003 DCs. The msktutil program to add computer accounts and create keytab
files then change the password uses the krb5_set_password_using_ccache with the
admin creds and the change_password_for set to the principal of the machine.
This is the same method used by the MIT ksetpwd command that is bbuilt but
not installed.
Both the ksetpwd and msktutil fail with an error of 3 "Autnenticatrion Error"
to W2008 DCs but work on W2003 DCs.
But if instead of the host/fqdn at realm as the principal,
I can use samAccountName (without the $) and it will change the password.
So can you try the kpasswd with the account name?
I think this is a known bug in W2008, but have not tracked down the hotfix if any yet.
This may have something to do with with smart card support in W2008, where
the userPrincipalName is now being used to match what is in the
UPN of a certificate and it does not have to be in the local realm!
sanjayk.cse at gmail.com wrote:
> I have migrated from Windows 2003 AD server to Windows 2008 AD
> server.
> With Windows 2003 AD , every thing is working fine . With the
> Windows 2008 AD server I am getting "KRB5_KPASSWD_AUTHERROR"
> error in reply of KPASSWD .
> I had earlier heimdal0.6 . I learn that heimdal 1.2 is
> compatible with windows2008/vista . I integrated the heimdal 1.2 .
> but no improvement .Have some experience the similar kind of issue?
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list