[37070] in Kerberos
Re: "forwarded" kpasswd changes
daemon@ATHENA.MIT.EDU (Todd Grayson)
Thu Jun 4 19:12:05 2015
MIME-Version: 1.0
In-Reply-To: <CAAd7aubSpQMCu1F=8w2Mp1nK8Fr2VZbztNPzNCJtocR94c=9fA@mail.gmail.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Thu, 4 Jun 2015 17:11:30 -0600
Message-ID: <CALNT6MWxDvGGhvY4xD5zFr+Oz3UjXpQkb_Q_Ad+HUAtNvrLTFw@mail.gmail.com>
To: Ben H <bhendin@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm not 100% on the mechanics at the AD side on how your change is still
going through, but to avoid the error; Have you tested with setting within
the realms definition of the AD realm, along with kdc entry, provide
a kpasswd_server value pointing to the proper host you want the kpasswd
exchange to take place with?
On Thu, Jun 4, 2015 at 5:02 PM, Ben H <bhendin@gmail.com> wrote:
> When utilizing Microsoft AD as a KDC against MIT clients, I am seeing the
> following error/warning when changing passwords via kpasswd:
>
> kpasswd: Incorrect net address changing password
>
> The password *is* properly changed, but this message displays.
>
> Here's the rub:
>
> The KDC being used for the password change is a microsoft RODC (read only
> domain controller).
> The MS specs for this state that when a password change request is received
> by the RODC, it "forwards" this on the clients behalf to a writable domain
> controller (WDC).
>
> So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass
> from the client to the RODC followed by the actual kpasswd exchange.
> Looking at just this exchange you would think that the RODC is servicing
> this request...
>
> As stated however, the RODC actually "forwards" each of these requests to a
> WDC which is actually providing the answer back to the RODC to be "proxied"
> back to the client.
> So we see these 4 exchange packets also pass between the RODC and the WDC -
> the only apparent difference is the source and destination IP addresses.
>
> I'm not sure if this "forwarding" of requests is based upon a standard
> Kerberos protocol, or if it something designed specifically as a MS
> extension.
>
> I'm also not sure what is contained within the exchange that would cause
> the client to provide the "Incorrect net address" error as I see no IP
> addresses or server names within the exchanges.
>
> I know that this "forwarding" is causing the error, because it does not
> exhibit itself when changing directly on the WDC.
>
> Can someone provide any insight into this?
>
> Thanks very much.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
