"forwarded" kpasswd changes

Todd Grayson tgrayson at cloudera.com
Thu Jun 4 19:11:30 EDT 2015


I'm not 100% on the mechanics at the AD side on how your change is still
going through, but to avoid the error; Have you tested with setting within
the realms definition of the AD realm, along with kdc entry, provide
a kpasswd_server value pointing to the proper host you want the kpasswd
exchange to take place with?

On Thu, Jun 4, 2015 at 5:02 PM, Ben H <bhendin at gmail.com> wrote:

> When utilizing Microsoft AD as a KDC against MIT clients,  I am seeing the
> following error/warning when changing passwords via kpasswd:
>
> kpasswd: Incorrect net address changing password
>
> The password *is* properly changed, but this message displays.
>
> Here's the rub:
>
> The KDC being used for the password change is a microsoft RODC (read only
> domain controller).
> The MS specs for this state that when a password change request is received
> by the RODC, it "forwards" this on the clients behalf to a writable domain
> controller (WDC).
>
> So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass
> from the client to the RODC followed by the actual kpasswd exchange.
> Looking at just this exchange you would think that the RODC is servicing
> this request...
>
> As stated however, the RODC actually "forwards" each of these requests to a
> WDC which is actually providing the answer back to the RODC to be "proxied"
> back to the client.
> So we see these 4 exchange packets also pass between the RODC and the WDC -
> the only apparent difference is the source and destination IP addresses.
>
> I'm not sure if this "forwarding" of requests is based upon a standard
> Kerberos protocol, or if it something designed specifically as a MS
> extension.
>
> I'm also not sure what is contained within the exchange that would cause
> the client to provide the "Incorrect net address" error as I see no IP
> addresses or server names within the exchanges.
>
> I know that this "forwarding" is causing the error, because it does not
> exhibit itself when changing directly on the WDC.
>
> Can someone provide any insight into this?
>
> Thanks very much.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Customer Operations Engineering


More information about the Kerberos mailing list