Changing passwords in MS KDC from MIT krb5

Curtis Robinson curtis at
Wed May 8 16:05:01 EDT 2002

Ok, I have the code necessary to take the password set in iPlanet
Directory Server.  I have the sample MS code to change the password
for the users.  What I am having trouble is the functions necessary to
transform the admin username and password to the krb5_ccache variable
out to feed to the MS change password function? 

Function for setting password:
int set_passwd (char *targpname,
                char *passwd_new)

Create these variables:

    krb5_error_code ret;
    krb5_context context;
    char pname[] = "administrator";
    char passwd[] = "secret";
    krb5_ccache ccache;
    krb5_principal targprinc, princ;
    int result_code;
    krb5_data result_code_string, result_string;

Create the context with:

krb5_parse_name (context, pname, &princ);
krb5_parse_name (context, targpname, &targprinc);

Something between this gets the krb5_ccache from the pname and passwd.

Set the password (MS Function):
ret = krb5_set_password(context, ccache, passwd_new, targprinc,
                                &result_code, &result_code_string,

On Tue, May 07, 2002 at 07:33:58AM -0700, Booker C. Bense wrote:
> On Mon, 6 May 2002, Curtis Robinson wrote:
> > Is there support for rfc 3244?  This rfc tells how to change the
> > password of other users with an admin account. I am trying to write a
> > plugin for iPlanet Directory Server to sync the password coming into the
> > LDAP Server and change the password over on the MS KDC.  But, the MIT
> > krb5 needs to support the ability to login as the administrator under
> > Windows and change the password of a different user. I have searched,
> > but I could not find any indication if it is or not supported by the MIT
> > krb5 implementation.
> - As far as I know the changing password with an admin account is not
> supported by the MIT code. I used the MS supplied kerberos
> interoperablity code to implement a somewhat similar scheme
> here at Stanford. I'm pretty sure that changing the password
> as a user is supported by the MIT code.
> - I'm not sure if I can hand out my modified MS code or not. I think
> it has dissappeared from the MS web sites. At least when I tried to
> find it again it was gone from the URI I downloaded it from.
> - You can also change the password in AD by using the ldap protocol
> over ssl.
> - Booker C. Bense
> _______________________________________________
> krbdev mailing list             krbdev at

Curtis Robinson
crobinso at

More information about the krbdev mailing list