Changing password through Kerberos/ Kerberos Error codes

Russ Allbery rra at
Wed Apr 3 13:03:04 EDT 2013

Arpit Srivastava <arpit.orb at> writes:

> Now, I want to implement :

> 1. The functionality of password change in my app, as in, if the user
> wants to change the password (of his AD account), he can do so in my
> mobile app (similar to what we do in Windows). But I am unable to find
> any method for doing so. Kpasswd utility is there, but can it be used
> the way we use kinit/kvno etc ?

You would use the krb5_set_password or krb5_change_password APIs after
obtaining credentials for kadmin/changepw via whatever mechanism.  (You
have to use an AS-REQ, not a TGS-REQ, however; in other words, you have to
get those credentials directly with the equivalent of kinit and can't use
a TGT to obtain them.)  I don't think the kpasswd binary lets you use a
pre-existing credential cache, although I'm not positive.

> 2. Kerberos native functions dont return anything other than
> SUCCESS/FAILURE. It does not return any major status and minor status
> like GSS API.  So, suppose TGT fetching failed for some reason (password
> was wrong or client principle name was not found in Kerberos database or
> password is expired). Now, I want to prompt the user why fetching TGT
> failed. So, How to determine the reason of failure of kinit.

Well, using a Kerberos library that gave you real Kerberos status results
would be my recommendation....

Russ Allbery (rra at             <>

More information about the krbdev mailing list