question about MIT kpasswd and RPCSEC_GSS

Will Fiveash will.fiveash at
Wed Jan 21 18:17:28 EST 2015

On Wed, Jan 21, 2015 at 05:22:43PM -0500, Tom Yu wrote:
> Will Fiveash <will.fiveash at> writes:
> > When talking to a older Solaris KDC that only supports the RPCSEC_GSS
> > protocol for change password request, will the current MIT kpasswd
> > command just work or does it require some non-default configuration
> > (some parameter set in krb5.conf)?
> My recollection is that we used to have a different kpasswd client
> program (dating back to the OV*Secure contribution, maybe) that did
> speak the kadm5 RPC protocol, but removed it.  Now we only have a
> kpasswd client that speaks the kpasswd protocol.

Thanks, I was looking through some older notes I made about this and the
code and felt I had entered a maze of twisty passages that all looked
alike.  Anyway (to make sure I'm clear) it's my understanding that MIT
back in 1.4 added support for kadmin/kadmind communication via
RPCSEC_GSS which made MIT kadmin compatible with Solaris kadmind.  My
notes on this also implied that the MIT kpasswd was updated to use

   MIT supports a SET_CHANGE protocol for changing password.  In 1.4
   they added support for our RPCSEC_GSS protocol.

It could be that I was mistaken about this which prompted my earlier

Will Fiveash
Oracle Solaris Software Engineer

More information about the Kerberos mailing list