Fwd: krb5_change_password() message string from server is empty

Arpit Srivastava arpit.orb at gmail.com
Mon Jun 17 08:00:52 EDT 2013

Greg said
"Active Directory servers send back a result string which begins with two
zero bytes (so it looks like an empty string) but is then followed with
some binary values giving policy information.  In 1.11, we added an API
krb5_chpw_message() to interpret the result string as a displayable
string.  The kpasswd client uses this API."

How to interpret these binary values as readable strings in case I dont
want to use krb5_chpw_message() ?

---------- Forwarded message ----------
From: Arpit Srivastava <arpit.orb at gmail.com>
Date: Mon, Jun 17, 2013 at 5:25 PM
Subject: krb5_change_password() message string from server is empty
To: krbdev at mit.edu


When krb5_change_password() returns 0 but result_code is not equal to zero,
the result_string and result_code_string must contain some message from the
When I am using standard kpasswd binary, I am getting a Password change
rejected: You can not change password more than once a day.... message.
But, when I am using the api in my application, I am getting empty strings.
However, password change works fine in case of success (both ret and
are zero).
What could the reason for not getting the strings properly?


More information about the krbdev mailing list