computer account change password with Windows 2008 domain

[Douglas E. Engert]

The hotfix 951191 fixed this problem too...

Douglas E. Engert wrote:
> I have run it to a similar problem in the last two day, as we have some W2008 DCs
> and some W2003 DCs. The msktutil program to add computer accounts and create keytab
> files then change the password uses the krb5_set_password_using_ccache  with the
> admin creds and the change_password_for set to the principal of the machine.
> 
> This is the same method used by the MIT ksetpwd command that is bbuilt but
> not installed.
> 
> Both the ksetpwd and msktutil fail with an error of 3 "Autnenticatrion Error"
> to W2008 DCs but work on W2003 DCs.
> 
> But if instead of the host/fqdn at realm as  the principal,
> I can use samAccountName  (without the $) and it will change the password.
> 
> So can you try the kpasswd with the account name?
> 
> I think this is a known bug in W2008, but have not tracked down the hotfix if any yet.
> 
> This may have something to do with with smart card support in W2008, where
> the userPrincipalName is now being used to match what is in the
> UPN of a certificate and it does not have to be in the local realm!
> 
> 
> sanjayk.cse at gmail.com wrote:
>> I have migrated from  Windows 2003 AD server   to Windows 2008 AD
>> server.
>>      With Windows 2003 AD , every thing is working fine . With the
>> Windows 2008 AD server   I am getting "KRB5_KPASSWD_AUTHERROR"
>> error   in reply of KPASSWD .
>>               I had earlier heimdal0.6  . I learn that heimdal 1.2  is
>> compatible with  windows2008/vista . I integrated the  heimdal 1.2 .
>> but no improvement  .Have some  experience the similar kind of issue?
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444