kpasswd and kerberos 1.8.1
Greg Hudson
ghudson at MIT.EDU
Tue Mar 15 11:21:28 EDT 2011
On Tue, 2011-03-15 at 08:44 -0400, Claudio Prono wrote:
> kpasswd: Cannot contact any KDC for requested realm changing password
> Mar 15 13:39:45 kerberos krb5kdc[14969](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.87.251: ISSUE: authtime 1300192785, etypes {rep=16
> tkt=16 ses=16}, testuser at DOMAIN.PRI for kadmin/changepw at DOMAIN.PRI
>
> What can be the problem?
There are two steps involved in changing a Kerberos password. First,
you request a kadmin/changepw ticket from the KDC using your old
password; then, you send your new password to the kpasswd service,
authenticated with the kadmin/changepw ticket.
Based on your KDC logs, the first step is succeeding--at least, from the
KDC's point of view. The second step is not, suggesting that the client
has the wrong information for the kpasswd service, or that kadmind isn't
running (the kpasswd service is normally implemented as part of
kadmind).
The error message you got is confusing because it mentions the KDC even
though it's probably a different service which couldn't be contacted.
I'll make a note to try and make that error clearer.
More information about the Kerberos
mailing list