"forwarded" kpasswd changes

Russ Allbery eagle at eyrie.org
Thu Jun 4 21:04:59 EDT 2015


Ben H <bhendin at gmail.com> writes:

> When utilizing Microsoft AD as a KDC against MIT clients, I am seeing
> the following error/warning when changing passwords via kpasswd:

> kpasswd: Incorrect net address changing password

> The password *is* properly changed, but this message displays.

I don't know what causes this, but it's definitely not you.  I've seen
this behavior for years.  The client appears to be complaining about the
response from the server, which it thinks has the wrong net address (or
something; I was always murky on the details), but the change goes through
anyway.

The kpasswd protocol is horrible.  We finally made this go away by just
never using kpasswd for password change; we replaced it with a remctl
server that used kadmin/changepw for its server principal so that one
still had the AS-REQ-required properties, but used a sane TCP protocol for
the password change.  Not really an option (at least easily) in an AD
environment, though.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list