[37071] in Kerberos
Re: "forwarded" kpasswd changes
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jun 4 21:05:23 2015
From: Russ Allbery <eagle@eyrie.org>
To: Ben H <bhendin@gmail.com>
In-Reply-To: <CAAd7aubSpQMCu1F=8w2Mp1nK8Fr2VZbztNPzNCJtocR94c=9fA@mail.gmail.com>
(Ben H.'s message of "Thu, 4 Jun 2015 18:02:13 -0500")
Date: Thu, 04 Jun 2015 18:04:59 -0700
Message-ID: <877frjyngk.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ben H <bhendin@gmail.com> writes:
> When utilizing Microsoft AD as a KDC against MIT clients, I am seeing
> the following error/warning when changing passwords via kpasswd:
> kpasswd: Incorrect net address changing password
> The password *is* properly changed, but this message displays.
I don't know what causes this, but it's definitely not you. I've seen
this behavior for years. The client appears to be complaining about the
response from the server, which it thinks has the wrong net address (or
something; I was always murky on the details), but the change goes through
anyway.
The kpasswd protocol is horrible. We finally made this go away by just
never using kpasswd for password change; we replaced it with a remctl
server that used kadmin/changepw for its server principal so that one
still had the AS-REQ-required properties, but used a sane TCP protocol for
the password change. Not really an option (at least easily) in an AD
environment, though.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
