"forwarded" kpasswd changes

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

"forwarded" kpasswd changes

Ben H
When utilizing Microsoft AD as a KDC against MIT clients,  I am seeing the
following error/warning when changing passwords via kpasswd:

kpasswd: Incorrect net address changing password

The password *is* properly changed, but this message displays.

Here's the rub:

The KDC being used for the password change is a microsoft RODC (read only
domain controller).
The MS specs for this state that when a password change request is received
by the RODC, it "forwards" this on the clients behalf to a writable domain
controller (WDC).

So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass
from the client to the RODC followed by the actual kpasswd exchange.
Looking at just this exchange you would think that the RODC is servicing
this request...

As stated however, the RODC actually "forwards" each of these requests to a
WDC which is actually providing the answer back to the RODC to be "proxied"
back to the client.
So we see these 4 exchange packets also pass between the RODC and the WDC -
the only apparent difference is the source and destination IP addresses.

I'm not sure if this "forwarding" of requests is based upon a standard
Kerberos protocol, or if it something designed specifically as a MS
extension.

I'm also not sure what is contained within the exchange that would cause
the client to provide the "Incorrect net address" error as I see no IP
addresses or server names within the exchanges.

I know that this "forwarding" is causing the error, because it does not
exhibit itself when changing directly on the WDC.

Can someone provide any insight into this?

Thanks very much.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: "forwarded" kpasswd changes

Todd Grayson
I'm not 100% on the mechanics at the AD side on how your change is still
going through, but to avoid the error; Have you tested with setting within
the realms definition of the AD realm, along with kdc entry, provide
a kpasswd_server value pointing to the proper host you want the kpasswd
exchange to take place with?

On Thu, Jun 4, 2015 at 5:02 PM, Ben H <[hidden email]> wrote:

> When utilizing Microsoft AD as a KDC against MIT clients,  I am seeing the
> following error/warning when changing passwords via kpasswd:
>
> kpasswd: Incorrect net address changing password
>
> The password *is* properly changed, but this message displays.
>
> Here's the rub:
>
> The KDC being used for the password change is a microsoft RODC (read only
> domain controller).
> The MS specs for this state that when a password change request is received
> by the RODC, it "forwards" this on the clients behalf to a writable domain
> controller (WDC).
>
> So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass
> from the client to the RODC followed by the actual kpasswd exchange.
> Looking at just this exchange you would think that the RODC is servicing
> this request...
>
> As stated however, the RODC actually "forwards" each of these requests to a
> WDC which is actually providing the answer back to the RODC to be "proxied"
> back to the client.
> So we see these 4 exchange packets also pass between the RODC and the WDC -
> the only apparent difference is the source and destination IP addresses.
>
> I'm not sure if this "forwarding" of requests is based upon a standard
> Kerberos protocol, or if it something designed specifically as a MS
> extension.
>
> I'm also not sure what is contained within the exchange that would cause
> the client to provide the "Incorrect net address" error as I see no IP
> addresses or server names within the exchanges.
>
> I know that this "forwarding" is causing the error, because it does not
> exhibit itself when changing directly on the WDC.
>
> Can someone provide any insight into this?
>
> Thanks very much.
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: "forwarded" kpasswd changes

Russ Allbery-2
In reply to this post by Ben H
Ben H <[hidden email]> writes:

> When utilizing Microsoft AD as a KDC against MIT clients, I am seeing
> the following error/warning when changing passwords via kpasswd:

> kpasswd: Incorrect net address changing password

> The password *is* properly changed, but this message displays.

I don't know what causes this, but it's definitely not you.  I've seen
this behavior for years.  The client appears to be complaining about the
response from the server, which it thinks has the wrong net address (or
something; I was always murky on the details), but the change goes through
anyway.

The kpasswd protocol is horrible.  We finally made this go away by just
never using kpasswd for password change; we replaced it with a remctl
server that used kadmin/changepw for its server principal so that one
still had the AS-REQ-required properties, but used a sane TCP protocol for
the password change.  Not really an option (at least easily) in an AD
environment, though.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: "forwarded" kpasswd changes

Ken Hornstein
>I don't know what causes this, but it's definitely not you.  I've seen
>this behavior for years.  The client appears to be complaining about the
>response from the server, which it thinks has the wrong net address (or
>something; I was always murky on the details), but the change goes through
>anyway.

I haven't tried that combination, but from memory the issue is that
the kpasswd protocol uses a KRB-PRIV message and the issue was that
you can't omit an IP address from it (let me check ... yes, the sender's
address is not optional in a KRB-PRIV message).  You could run kpasswd
under a debugger to figure out what the "wrong" address is.  But I suspect
it would be just easier to modify the MIT client to ignore the IP address
on the KRB-PRIV on the reply message.

>The kpasswd protocol is horrible.

+1

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: "forwarded" kpasswd changes

Greg Hudson
On 06/04/2015 09:45 PM, Ken Hornstein wrote:
> I haven't tried that combination, but from memory the issue is that
> the kpasswd protocol uses a KRB-PRIV message and the issue was that
> you can't omit an IP address from it (let me check ... yes, the sender's
> address is not optional in a KRB-PRIV message).  You could run kpasswd
> under a debugger to figure out what the "wrong" address is.  But I suspect
> it would be just easier to modify the MIT client to ignore the IP address
> on the KRB-PRIV on the reply message.

Yes; we did that for 1.13.  We had already made the corresponding change
to the server in 1.10.

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7886
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6979

>> The kpasswd protocol is horrible.
>
> +1

I don't think of it as all that bad, but we should probably try it over
TCP first, as the UDP protocol is subject to erroneously treating
retransmits as replays.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos