"forwarded" kpasswd changes

Ben H bhendin at gmail.com
Thu Jun 4 19:02:13 EDT 2015


When utilizing Microsoft AD as a KDC against MIT clients,  I am seeing the
following error/warning when changing passwords via kpasswd:

kpasswd: Incorrect net address changing password

The password *is* properly changed, but this message displays.

Here's the rub:

The KDC being used for the password change is a microsoft RODC (read only
domain controller).
The MS specs for this state that when a password change request is received
by the RODC, it "forwards" this on the clients behalf to a writable domain
controller (WDC).

So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass
from the client to the RODC followed by the actual kpasswd exchange.
Looking at just this exchange you would think that the RODC is servicing
this request...

As stated however, the RODC actually "forwards" each of these requests to a
WDC which is actually providing the answer back to the RODC to be "proxied"
back to the client.
So we see these 4 exchange packets also pass between the RODC and the WDC -
the only apparent difference is the source and destination IP addresses.

I'm not sure if this "forwarding" of requests is based upon a standard
Kerberos protocol, or if it something designed specifically as a MS
extension.

I'm also not sure what is contained within the exchange that would cause
the client to provide the "Incorrect net address" error as I see no IP
addresses or server names within the exchanges.

I know that this "forwarding" is causing the error, because it does not
exhibit itself when changing directly on the WDC.

Can someone provide any insight into this?

Thanks very much.


More information about the Kerberos mailing list