Support for Microsoft Set Password protocol

Wyllys Ingersoll wyllys.ingersoll at
Thu Apr 3 10:36:42 EST 2003

Ken Hornstein wrote:
>>Due to the interop issues, wouldn't is be simpler to just to have a
>>My understanding is that everyone who needs the MS set password
>>functionality needs it only to manage Windows domains.  Therefore, they know
>>that they are talking to a Windows domain.  Hence, they want to make a call
>>that only does the MS thing.
> It seems to me that this would make it hard to write a generic
> application.  Say I'm writing an application that changes a
> password ... do I have to have the user specify which password
> changing protocol to use?  Would the average user even know?  Given
> the choice, I'd rather make one API call and have some sort of
> configuration information in krb5.conf make that decision (since
> it's a per-realm attribute).
> --Ken

When we originally added support for the V1 passwd change protocol
currently supported by MIT and Microsoft, we added a realm specific
parameter "kpasswd_protocol = [RPCSEC_GSS | SET_CHANGE]" so that the
clients could continue to use the same API and the protocol
decision is made deep down in the library, thus no applications had
to be modified in order to support it - (basically, pam and kpasswd
were the primary clients of the password change API).

This may likely have to change slightly in the future depending on
how Nico's protocol gets implemented, but for now it seemed like
the logical way to handle it.


More information about the krbdev mailing list