Changing password through Kerberos/ Kerberos Error codes
rra at stanford.edu
Wed Apr 3 13:03:04 EDT 2013
Arpit Srivastava <arpit.orb at gmail.com> writes:
> Now, I want to implement :
> 1. The functionality of password change in my app, as in, if the user
> wants to change the password (of his AD account), he can do so in my
> mobile app (similar to what we do in Windows). But I am unable to find
> any method for doing so. Kpasswd utility is there, but can it be used
> the way we use kinit/kvno etc ?
You would use the krb5_set_password or krb5_change_password APIs after
obtaining credentials for kadmin/changepw via whatever mechanism. (You
have to use an AS-REQ, not a TGS-REQ, however; in other words, you have to
get those credentials directly with the equivalent of kinit and can't use
a TGT to obtain them.) I don't think the kpasswd binary lets you use a
pre-existing credential cache, although I'm not positive.
> 2. Kerberos native functions dont return anything other than
> SUCCESS/FAILURE. It does not return any major status and minor status
> like GSS API. So, suppose TGT fetching failed for some reason (password
> was wrong or client principle name was not found in Kerberos database or
> password is expired). Now, I want to prompt the user why fetching TGT
> failed. So, How to determine the reason of failure of kinit.
Well, using a Kerberos library that gave you real Kerberos status results
would be my recommendation....
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev