Support for Microsoft Set Password protocol

Nicolas Williams Nicolas.Williams at sun.com
Wed Apr 2 18:17:55 EST 2003 

Yes.  Thanks!

So, unless MS fixes their kpasswd service to send responses that
indicate version mismatch to clients then kpasswd protocol major version
negotiation will workable only by running the protocol over TCP.

I'll add text to the v2 draft about major version negotiation.

Cheers,

Nico

On Wed, Apr 02, 2003 at 05:17:02PM -0600, Paul W. Nelson wrote:
> A preliminary test shows that the tcp connection just gets dropped without
> any response.  This is much better that the UDP result.  At least you can do
> something about this...
> 
> -- 
> Paul W. Nelson
> Thursby Software Systems, Inc.
> 
> > From: Nicolas Williams <Nicolas.Williams at sun.com>
> > Date: Wed, 2 Apr 2003 14:51:47 -0800
> > To: "Paul W. Nelson" <nelson at thursby.com>
> > Cc: Ken Hornstein <kenh at cmf.nrl.navy.mil>, krbdev at MIT.EDU
> > Subject: Re: Support for Microsoft Set Password protocol
> > 
> > What if the client uses TCP?  Does the MS kpasswd service even support
> > TCP?  (rfc3244 mentions TCP but does not make TCP support an explicit
> > requirement - then again, it is an informational rfc...).
> > 
> > If the TCP behaviour is more acceptable then negotiation can still be
> > done.  Otherwise MS will have to patch their kpasswd service - remember,
> > if MS wants to implement v2 then MS will need a way for clients to
> > negotiate the protocol version...
> > 
> > Or we could move kpasswd v2 to a different port number and then
> > negotiation would go like this:
> > 
> > - try v2
> > - try v0xff80
> > - try v1
> > 
> > (yuck!)
> > 
> > Thanks,
> > 
> > Nico
> > 
> > On Wed, Apr 02, 2003 at 04:45:54PM -0600, Paul W. Nelson wrote:
> >> I hacked the 1.3 alpha code to force the version number to be set to 0x0002.
> >> Unfortunately, here is what a Microsoft Server 2003 (their latest) does:
> >> 
> >> 1) The Microsoft KDC does not respond to a change password request with the
> >> version set to 0x0002 at all.
> >> 2) It puts an error in the system event log (event id 23) with:
> >>     The KDC Received invalid messages of type changepassword.
> >> 
> >> This is the worst possible behavior for trying to support both new and old
> >> servers from an application (ie: negotiate a version to use).
> >>  
> >> -- 
> >> Paul W. Nelson
> >> Thursby Software Systems, Inc.
>

More information about the krbdev mailing list