krb5_change_password rejected on some Windows 2025
Arnaud Bouchez
abz++krb at mailo.com
Wed Jun 25 06:58:48 EDT 2025
Hello,
Windows Server 2025-based Active Directory domain controllers appear to
regress in handling KPASSWD protocol. Namely, a password change request
is being processed and a password of an Active Directory account has
been changed but the response produced by the domain controller is
Kerberos error with code 0, explicitly not allowed by the RFC3244
describing Microsoft KPASSWD protocol.
Source:
https://lists.samba.org/archive/cifs-protocol/2024-December/004390.html
The `krb5_change_password()` function reject is_error +
KRB5_KPASSWD_SUCCESS as expected by the RFC, but it fails on this
buggy/featured Windows Server 2025 AD.
If I understand correctly, we could remove the following lines in chpw.c :
krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context,
....
/* Successful replies must not come from errors. */
if (is_error && result_code == KRB5_KPASSWD_SUCCESS) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
So that the API would work on those AD version.
Additional information about this MS/Windows issue is available at:
https://gitlab.freedesktop.org/realmd/adcli/-/issues/40
The official server-side fix is not there yet, and it may help
mitigating it on the client side.
Thanks for your attention.
Arnaud
More information about the Kerberos
mailing list