Fwd: krb5_change_password() message string from server is empty

Greg Hudson ghudson at MIT.EDU
Mon Jun 17 10:23:49 EDT 2013

On 06/17/2013 08:00 AM, Arpit Srivastava wrote:
> Greg said
> "Active Directory servers send back a result string which begins with two
> zero bytes (so it looks like an empty string) but is then followed with
> some binary values giving policy information.  In 1.11, we added an API
> krb5_chpw_message() to interpret the result string as a displayable
> string.  The kpasswd client uses this API."
> How to interpret these binary values as readable strings in case I dont
> want to use krb5_chpw_message() ?

If the result message is 30 bytes long and begins with two 0 bytes, then
you can interpret those bytes like so:

* Bytes 0-1: Zero
* Bytes 2-6: Password minimum length
* Bytes 7-10: Password history depth
* Bytes 11-14: Flag word (see below)
* Bytes 15-22: Password expiration time (in ten millionths of a second)
* Bytes 23-30: Password minimum age (in ten millionths of a second)

All fields are in big-endian byte order.  I'm not sure what all can go
into the flag word, but we translate the 0x01 bit as "The password must
include numbers or symbols.  Don't include any part of your name in the
password." and we currently ignore other bits.

More information about the krbdev mailing list