Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

kpasswd and kerberos 1.8.1

601 views
Skip to first unread message

Claudio Prono

unread,
Mar 15, 2011, 8:44:39 AM3/15/11
to kerb...@mit.edu
Hello all,

I use Kerberos with OpenSuSE, and i have some problems with the kpasswd
command to change the user password.

kpasswd testuser
Password for test...@DOMAIN.PRI:
Enter new password:
Enter it again:
kpasswd: Cannot contact any KDC for requested realm changing password

But all the other kerberos functions works properly, so i think is not a
DNS problem or something similar.

Into the logs i have only this:

Mar 15 13:39:45 kerberos krb5kdc[14969](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.87.251: ISSUE: authtime 1300192785, etypes {rep=16
tkt=16 ses=16}, test...@DOMAIN.PRI for kadmin/chan...@DOMAIN.PRI

What can be the problem?

Cordially,

Claudio Prono.


--

--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc


Greg Hudson

unread,
Mar 15, 2011, 11:21:28 AM3/15/11
to claudi...@atpss.net, kerb...@mit.edu
On Tue, 2011-03-15 at 08:44 -0400, Claudio Prono wrote:
> kpasswd: Cannot contact any KDC for requested realm changing password

> Mar 15 13:39:45 kerberos krb5kdc[14969](info): AS_REQ (7 etypes {18 17


> 16 23 1 3 2}) 192.168.87.251: ISSUE: authtime 1300192785, etypes {rep=16
> tkt=16 ses=16}, test...@DOMAIN.PRI for kadmin/chan...@DOMAIN.PRI
>
> What can be the problem?

There are two steps involved in changing a Kerberos password. First,
you request a kadmin/changepw ticket from the KDC using your old
password; then, you send your new password to the kpasswd service,
authenticated with the kadmin/changepw ticket.

Based on your KDC logs, the first step is succeeding--at least, from the
KDC's point of view. The second step is not, suggesting that the client
has the wrong information for the kpasswd service, or that kadmind isn't
running (the kpasswd service is normally implemented as part of
kadmind).

The error message you got is confusing because it mentions the KDC even
though it's probably a different service which couldn't be contacted.
I'll make a note to try and make that error clearer.


Brian Candler

unread,
Mar 15, 2011, 1:32:09 PM3/15/11
to Greg Hudson, kerb...@mit.edu
On Tue, Mar 15, 2011 at 11:21:28AM -0400, Greg Hudson wrote:
> There are two steps involved in changing a Kerberos password. First,
> you request a kadmin/changepw ticket from the KDC using your old
> password; then, you send your new password to the kpasswd service,
> authenticated with the kadmin/changepw ticket.
>
> Based on your KDC logs, the first step is succeeding--at least, from the
> KDC's point of view. The second step is not, suggesting that the client
> has the wrong information for the kpasswd service, or that kadmind isn't
> running (the kpasswd service is normally implemented as part of
> kadmind).

And also: I believe that the kadmin service can't be located from DNS
information (not yet anyway). You have to configure it explicitly in
/etc/krb5.conf

Mark Pröhl

unread,
Mar 18, 2011, 4:43:02 PM3/18/11
to kerb...@mit.edu

as far as I know DNS SRV records for the kadmin service are not
supported by MIT clients. However, SRV records for kpasswd
(i.e. _kpasswd._udp.<Realm>) do work.

heather...@gmail.com

unread,
Apr 27, 2017, 2:43:39 PM4/27/17
to
In my case, I had the servers listed in the /etc/krb5.conf file with the port specified (original config instructions I followed did it that way). As soon as I removed the port numbers from it, all was fixed and password updating functioned normally.
0 new messages