Changing password through Kerberos/ Kerberos Error codes

Arpit Srivastava arpit.orb at
Wed Apr 3 07:22:45 EDT 2013


I am developing a mobile app which authenticated (i.e. fetches TGT and
service tickets) the user (who already has a account with Active Directory)
to the KDC using Kerberos commands (kinit - for TGT and Kvno - for service
ticket), after which tokens are generated (using GSS APIs) and passed over
to service server.

Now, I want to implement :

1. The functionality of password change in my app, as in, if the user wants
to change the password (of his AD account), he can do so in my mobile app
(similar to what we do in Windows). But I am unable to find any method for
doing so. Kpasswd utility is there, but can it be used the way we use
kinit/kvno etc ?

2. Kerberos native functions dont return anything other than
SUCCESS/FAILURE. It does not return any major status and minor status like
GSS API.  So, suppose TGT fetching failed for some reason (password was
wrong or client principle name was not found in Kerberos database or
password is expired). Now, I want to prompt the user why fetching TGT
failed. So, How to determine the reason of failure of kinit.

Please help !


More information about the krbdev mailing list