Changing passwords in MS KDC from MIT krb5

Wyllys Ingersoll wyllys.ingersoll at
Tue May 7 09:29:00 EDT 2002

I believe the kpasswd utility in MIT 1.2.X (src/clients/kpasswd)
will work for changing passwords on a Microsoft AD server.

However, there is some confusion in the MIT distrib. because
there are actually 3 utilities for password changing:

1.  kpasswd - built under src/clients/kpasswd
2.  kpasswd - built under src/kadmin/passwd
3.  kadmin - built under src/kadmin/cli

Only #1 works for changing passwords on an MS AD server,
the other 2 use the OpenVision Auth-GSS stuff which is not
compatible with Microsoft's supported password changing

While #1 does not exactly support the full IETF proposal for
passwd set/change, it does support just enough to allow a user
to change their password on an AD server.

-Wyllys Ingersoll

Sam Hartman wrote:
> MIt does not and probably never will support this RFC.  It is a
> Microsoft specific extension to the set password protocol.  There is a
> standards track protocol under discussion in the Kerberos working
> group of the IETF that MIT will likely support once the protocol is
> completed.
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list