kpasswd and kerberos 1.8.1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

kpasswd and kerberos 1.8.1

Claudio Prono
Hello all,

I use Kerberos with OpenSuSE, and i have some problems with the kpasswd
command to change the user password.

kpasswd testuser
Password for [hidden email]:
Enter new password:
Enter it again:
kpasswd: Cannot contact any KDC for requested realm changing password

But all the other kerberos functions works properly, so i think is not a
DNS problem or something similar.

Into the logs i have only this:

Mar 15 13:39:45 kerberos krb5kdc[14969](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.87.251: ISSUE: authtime 1300192785, etypes {rep=16
tkt=16 ses=16}, [hidden email] for kadmin/[hidden email]

What can be the problem?

Cordially,

Claudio Prono.


--

--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer              
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc




________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kpasswd and kerberos 1.8.1

Greg Hudson
On Tue, 2011-03-15 at 08:44 -0400, Claudio Prono wrote:
> kpasswd: Cannot contact any KDC for requested realm changing password

> Mar 15 13:39:45 kerberos krb5kdc[14969](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.87.251: ISSUE: authtime 1300192785, etypes {rep=16
> tkt=16 ses=16}, [hidden email] for kadmin/[hidden email]
>
> What can be the problem?

There are two steps involved in changing a Kerberos password.  First,
you request a kadmin/changepw ticket from the KDC using your old
password; then, you send your new password to the kpasswd service,
authenticated with the kadmin/changepw ticket.

Based on your KDC logs, the first step is succeeding--at least, from the
KDC's point of view.  The second step is not, suggesting that the client
has the wrong information for the kpasswd service, or that kadmind isn't
running (the kpasswd service is normally implemented as part of
kadmind).

The error message you got is confusing because it mentions the KDC even
though it's probably a different service which couldn't be contacted.
I'll make a note to try and make that error clearer.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kpasswd and kerberos 1.8.1

Brian Candler
On Tue, Mar 15, 2011 at 11:21:28AM -0400, Greg Hudson wrote:

> There are two steps involved in changing a Kerberos password.  First,
> you request a kadmin/changepw ticket from the KDC using your old
> password; then, you send your new password to the kpasswd service,
> authenticated with the kadmin/changepw ticket.
>
> Based on your KDC logs, the first step is succeeding--at least, from the
> KDC's point of view.  The second step is not, suggesting that the client
> has the wrong information for the kpasswd service, or that kadmind isn't
> running (the kpasswd service is normally implemented as part of
> kadmind).

And also: I believe that the kadmin service can't be located from DNS
information (not yet anyway).  You have to configure it explicitly in
/etc/krb5.conf
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kpasswd and kerberos 1.8.1

Mark Pröhl
On 03/15/2011 06:32 PM, Brian Candler wrote:

> On Tue, Mar 15, 2011 at 11:21:28AM -0400, Greg Hudson wrote:
>> There are two steps involved in changing a Kerberos password.  First,
>> you request a kadmin/changepw ticket from the KDC using your old
>> password; then, you send your new password to the kpasswd service,
>> authenticated with the kadmin/changepw ticket.
>>
>> Based on your KDC logs, the first step is succeeding--at least, from the
>> KDC's point of view.  The second step is not, suggesting that the client
>> has the wrong information for the kpasswd service, or that kadmind isn't
>> running (the kpasswd service is normally implemented as part of
>> kadmind).
> And also: I believe that the kadmin service can't be located from DNS
> information (not yet anyway).  You have to configure it explicitly in
> /etc/krb5.conf

as far as I know DNS SRV records for the kadmin service are not
supported by MIT clients. However, SRV records for kpasswd
(i.e. _kpasswd._udp.<Realm>) do work.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos