kpasswd over firewall ans TCP

Greg Hudson ghudson at
Wed May 6 11:01:58 EDT 2015

On 05/06/2015 10:45 AM, Meike Stone wrote:
> I like to use kpasswd, but the kpasswd_server is behind a firewall and
> only TCP port 464 is allowed.
> But as i see, kpasswd only uses UDP. Setting udp_preference_limit to 0
> (under libdefaults)
> didn't help.

The intent of the changepw.c code is to try both UDP and TCP first
(typically beginning with a UDP query, but udp_preference_limit could
cause a TCP query to be tried first), and then retry with only TCP if it
gets back a KRB5KRB_ERR_RESPONSE_TOO_BIG error.

As far as I know this code functions as intended.  Can you describe in
more detail what leads you to believe that it is only trying UDP?  Also,
what version are you using on the client, and what is running on the
kpasswd server?

More information about the Kerberos mailing list