kpasswd over firewall ans TCP

Meike Stone meike.stone at
Wed May 6 12:35:13 EDT 2015

2015-05-06 17:01 GMT+02:00 Greg Hudson <ghudson at>:
> On 05/06/2015 10:45 AM, Meike Stone wrote:
>> I like to use kpasswd, but the kpasswd_server is behind a firewall and
>> only TCP port 464 is allowed.
>> But as i see, kpasswd only uses UDP. Setting udp_preference_limit to 0
>> (under libdefaults)
>> didn't help.
> The intent of the changepw.c code is to try both UDP and TCP first
> (typically beginning with a UDP query, but udp_preference_limit could
> cause a TCP query to be tried first), and then retry with only TCP if it
> gets back a KRB5KRB_ERR_RESPONSE_TOO_BIG error.
> As far as I know this code functions as intended.  Can you describe in
> more detail what leads you to believe that it is only trying UDP?  Also,
> what version are you using on the client, and what is running on the
> kpasswd server?

The Client is KfW 4.0.1 32bit. The kpasswd Server is AD W2k8, udp and
tcp (port 464) on the Server are open.
On the firewall is a proxy firewall with a rule for port TCP 464.

If I start kpasswd, I get at first a few port 88 (preauth) the I only
see a UDP package port 464, no tries for TCP:

18:31:39.696660 IP (tos 0x0, ttl 128, id 31724, offset 0, flags [+],
proto UDP (17), length 1500) >
UDP, length 1550
18:31:39.696737 IP (tos 0xc0, ttl 64, id 12852, offset 0, flags
[none], proto ICMP (1), length 576) > ICMP udp port 464 unreachable, length 556

(client / proxy firewall:

Error message is:
"kpasswd: Cannot contact any KDC for requested realm changing password"

In the Sourcecode ( , it looks like it is hard coded
(as above) and following lines:
"     if (code) {
             * Here we may want to switch to TCP on some errors.
             * right?

Thanks Meike

More information about the Kerberos mailing list