Changing password through Kerberos/ Kerberos Error codes

Arpit Srivastava arpit.orb at
Mon Apr 8 09:38:33 EDT 2013

Thanks for the reply. I have couple of more doubts.

1. Before prompting the user to change the password, I want to check
whether the password is about to expire or not. My server is Windows AD and
I have set the password lifetime to be 2 days (which is less than 7 day as
per Windows standard for sending the password expiry notification).
For that, I have registered a callback in krb5_get_init_creds_password but
what is happening is callback api is being called again and again. And TGT
is fetched in the background. What could be the reason for this ? Moreover,
no message/banner is coming in prompt callback function which is unexpected.

2. I made the password to expire on my Windows account. and now checking
the krb5 error code returned by krb5_get_init_creds_password. Ideally, it
should come out to be KRB5KDC_ERR_KEY_EXP  butwhat I am getting is
KRB5KDC_ERR_NEVER_VALID . What could be the reason for this behavior.


On Wed, Apr 3, 2013 at 10:33 PM, Russ Allbery <rra at> wrote:

> Arpit Srivastava <arpit.orb at> writes:
> > Now, I want to implement :
> > 1. The functionality of password change in my app, as in, if the user
> > wants to change the password (of his AD account), he can do so in my
> > mobile app (similar to what we do in Windows). But I am unable to find
> > any method for doing so. Kpasswd utility is there, but can it be used
> > the way we use kinit/kvno etc ?
> You would use the krb5_set_password or krb5_change_password APIs after
> obtaining credentials for kadmin/changepw via whatever mechanism.  (You
> have to use an AS-REQ, not a TGS-REQ, however; in other words, you have to
> get those credentials directly with the equivalent of kinit and can't use
> a TGT to obtain them.)  I don't think the kpasswd binary lets you use a
> pre-existing credential cache, although I'm not positive.
> > 2. Kerberos native functions dont return anything other than
> > SUCCESS/FAILURE. It does not return any major status and minor status
> > like GSS API.  So, suppose TGT fetching failed for some reason (password
> > was wrong or client principle name was not found in Kerberos database or
> > password is expired). Now, I want to prompt the user why fetching TGT
> > failed. So, How to determine the reason of failure of kinit.
> Well, using a Kerberos library that gave you real Kerberos status results
> would be my recommendation....
> --
> Russ Allbery (rra at             <>

More information about the krbdev mailing list