[krbdev.mit.edu #2547] Add support for kpasswd/TCP to kadmind
Jeffrey Altman via RT
rt-comment at krbdev.mit.edu
Fri Apr 30 16:17:19 EDT 2004
Microsoft Windows 2000/XP workstations can be configured to utilize a
MIT KDC for logins both as a stand-alone workstation or via a
cross-realm trust relationship. As part of the configuration the KSETUP
tool is used to inform Windows of the MIT REALM configuration. For example:
SECURE-ENDPOINTS.COM:
kdc = redhat71.secure-endpoints.com
kpasswd = redhat71.secure-endpoints.com
Realm Flags = 0x0 none
Windows by default only uses UDP to communicate with the KDC. This can
be a problem if the ticket requests are too big. In that situation it
is preferable to use TCP. This is specified by adding the realm flag,
TcpSupported. Unfortunately, doing so breaks the ability of Windows to
perform Change Password operations for principals in this realm because
kadmind does not support the change password protocol except via UDP.
The user will in turn receive an error: "1311: There are currently no
logon servers available to service the logon request. Please consult
your system administrator."
The work around is to remove the TcpSupported realm flag.
More information about the krb5-bugs
mailing list