[24591] in Kerberos
Re: Password Changing failing from Windows to MIT KDC
daemon@ATHENA.MIT.EDU (Mike Friedman)
Fri Sep 2 12:51:44 2005
Date: Fri, 2 Sep 2005 09:50:33 -0700 (PDT)
From: Mike Friedman <mikef@ack.berkeley.edu>
To: Jeffrey Altman <jaltman2@nyc.rr.com>
In-Reply-To: <65wOe.7445$ZG2.1349701@twister.nyc.rr.com>
Message-ID: <20050902094204.Y45006@malcolm.berkeley.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 23 Aug 2005 at 02:45 (-0000), Jeffrey Altman wrote:
> I can verify that there is a problem although I cannot determine at the
> moment what the source of it is. What is the most recent version of KFW
> that you are aware works?
Jeffrey,
Further investigation by my Windows colleagues appears to reveal that
password changing fails only when issued from a NAT'ed private IP address.
This is true both for KfW and for native Windows Kerberos password
changing.
But this problem has apparently existed for some time with admin functions
in general (e.g., kadmin) and not only from Windows systems.
So, as it stands, we have no evidence of a new problem either with recent
KfW releases or with a current version of the KDC.
Is the problem that you say you can verify perhaps also related to NAT'ed
private IP addresses?
Mike
=========================================================================
> Mike Friedman wrote:
>
>> I posted on this a few days ago but haven't received any replies, so I
>> figure it may have fallen through the cracks.
>>
>> It seems that with the current release of KfW, password changing fails
>> to either a 1.3.4 or 1.4.2 KDC. Yet, earlier versions of KfW don't
>> have this problem. Similarly with Windows native Kerberos password
>> changing. I haven't done testing of the latter myself, but a colleague
>> who works on Windows has.
>>
>> The message he receives is this:
>>
>> Server error: Failed decrypting request
>>
>> The KDC logs show a successful issuing of the kadmin/changepw service
>> credential, but no further action indicating a change password
>> transaction.
>>
>> I suspected a client host firewall problem (re: UDP 464), but the
>> problem continues even with no firewall rules in place.
>>
>> Has something changed with the new versions of KfW?
>>
>> Thanks.
>>
>> Mike
_____________________________________________________________________
Mike Friedman System and Network Security
mikef@ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
_____________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBQxiC3K0bf1iNr4mCEQKgMACfUxcz33s0kZF2e9PnP8jvbAvB2QcAoPuo
JueMbogEsfXG7dAIEhsZ7k3R
=t4w9
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos