kpasswd and kerberos 1.8.1

Mark Pröhl mark at mproehl.net
Fri Mar 18 16:43:02 EDT 2011


On 03/15/2011 06:32 PM, Brian Candler wrote:
> On Tue, Mar 15, 2011 at 11:21:28AM -0400, Greg Hudson wrote:
>> There are two steps involved in changing a Kerberos password.  First,
>> you request a kadmin/changepw ticket from the KDC using your old
>> password; then, you send your new password to the kpasswd service,
>> authenticated with the kadmin/changepw ticket.
>>
>> Based on your KDC logs, the first step is succeeding--at least, from the
>> KDC's point of view.  The second step is not, suggesting that the client
>> has the wrong information for the kpasswd service, or that kadmind isn't
>> running (the kpasswd service is normally implemented as part of
>> kadmind).
> And also: I believe that the kadmin service can't be located from DNS
> information (not yet anyway).  You have to configure it explicitly in
> /etc/krb5.conf

as far as I know DNS SRV records for the kadmin service are not
supported by MIT clients. However, SRV records for kpasswd
(i.e. _kpasswd._udp.<Realm>) do work.




More information about the Kerberos mailing list