Changing password through Kerberos/ Kerberos Error codes

Arpit Srivastava arpit.orb at
Mon Apr 8 23:41:45 EDT 2013

Thanks Russ and Greg.

1. I am talking about what Russ said. It is krb5_grt_init_creds_password
callback. Ideally, the callback function should receive message and banner,
but I dont know why, null values of message and banner are coming in
callback function. It should give one of the three strings that password is
about to expire. I am not using krb5_get_init_creds_opt_set_expire_callback
as of now. Ideally, krb5_grt_init_creds_password should return
KRB5KDC_ERR_KEY_EXP, but it is returning KRB5KDC_ERR_NEVER_VALID. I am not
trying to fetch TGT of negative lifetime.

2. Are Windows KDC error codes different from what MIT Kerberos lists on
its website ? To print the Kerberos error messages, I am using Java
GSSException class. For example, if krb5_grt_init_creds_password returned
-1765328378 which correponds to KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN. I
initialize an object of GSSException class and pass major_status as
GSS_S_FAILURE (851968) and minor status as -1765328378. Then calling the
getMinorString() method using this object. Minor status corresponds to
underlying implementation, that is Krb5 in my case. But I am getting null
minor string everytime. Is there any better way to print meaning for
Kerberos error codes.


On Mon, Apr 8, 2013 at 9:50 PM, Russ Allbery <rra at> wrote:

> Arpit Srivastava <arpit.orb at> writes:
> > 1. Before prompting the user to change the password, I want to check
> > whether the password is about to expire or not. My server is Windows AD
> > and I have set the password lifetime to be 2 days (which is less than 7
> > day as per Windows standard for sending the password expiry
> > notification).  For that, I have registered a callback in
> > krb5_get_init_creds_password but what is happening is callback api is
> > being called again and again. And TGT is fetched in the background. What
> > could be the reason for this ? Moreover, no message/banner is coming in
> > prompt callback function which is unexpected.
> The krb5_get_init_creds_password callback, if you're referring to what I
> think you're referring to, is intended for prompting, not for intercepting
> messages from the KDC (although it can also do the latter).  If you
> provide a prompting function, you'll have to deal with the prompts (such
> as passwords).  But I'm not sure I understand what you're explaining; more
> details might be helpful.
> > 2. I made the password to expire on my Windows account. and now checking
> > the krb5 error code returned by krb5_get_init_creds_password. Ideally,
> > it should come out to be KRB5KDC_ERR_KEY_EXP butwhat I am getting is
> > KRB5KDC_ERR_NEVER_VALID . What could be the reason for this behavior.
> That error message supposedly means that you requested a negative lifetime
> for the ticket.
> --
> Russ Allbery (rra at             <>

More information about the krbdev mailing list