convert cleartext password to principal key

Simo Sorce simo at
Mon Jan 27 08:33:38 EST 2014

On Mon, 2014-01-27 at 17:40 +0530, Rachit Raj wrote:
> Hi,
> I am working on a Java code to integrate user's password in corporate LDAP
> with kerberos principal key. This code would ensure that whenever user
> change their LDAP password then their kerberos key would be updated
> automatically. Basically they would be having only one password for both
> LDAP and kerberos authentication. I am using Java's kerberos package to
> generate kerberos principal key. But when I saved this key to
> krbprincipalkey attribute in LDAP then kinit failed with error
> *"kinit(v5): Generic error (see e-text) while getting initial credentials".*

The keys saved in krbprincipalkey must be encrypted with the master key
which is normally not available to the LDAP server and shouldn't be made
available to external programs.

The easiest way for an external program is to give it a keytab and allow
it to change any user's [paswrdo in the kadmin acls, then just use the
kpasswd protocol to change it.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list