MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi,
I also experienced the same problem as William
G.Zereneh
(http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html).
I'm able to change the password using ctrl-alt-del,
but when the password is expired and windows asks me
to change the password, I encountered "Domain
MIT.REALM.COM is not available" error.
As I sniff the packet, it noticed that it sent a CLDAP
query message with filter: (&(DnsDomain =
MIT.REALM.COM)(Host = myhostname)(NtVer=\006)
which is returned NULL by my
_ldap._tcp.dc._msdcs.REALM.MIT.COM
How to resolve this problem ? maybe there's a missing
entry in my DNS ?
Is it mandatory for the MIT Kerberos KDC (I installed
it on RedHat Linux) to have an LDAP service to resolve
the CLDAP request ?
and can LDAP actually entertains CLDAP request since
LDAP is using TCP while CLDAP is using UDP ?
Can I resolve the CLDAP request using Windows 2000
server instead ?
Any ideas will be very appreciated
Regards from newbie,
lara
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
m1r4cle_26
comp.protocols.kerberos
5541 articles. 
1 followers.
jwinius
0 Replies
1686 Views
Similar Artilces:
MIT KDC & Windows Client
Hello, I've been experimenting with heimdal kerberos on the cross-realm authentication, for windows 2000 clients to authenticate to heimdal KDC, and just found out that there seems to be a problem with the changing password interoperability between the win2k client and heimdal KDC. Therefore, I intend to switch to MIT Kerberos but need to confirm the interoperability features of MIT KDC and windows clients: 1. Is the any issue of change password incompatibility between MIT KDC and windows clients ? Will a user from a win2k / winXP machine be able to change his/her password in MIT KDC using ctrl-alt-del or when the password is expired ? In the following link: http://mailman.mit.edu/pipermail/kerberos/2004-April/005326.html, Jeffrey Altman wrote: "I have just tested MIT KDC 1.3.3 with two machines. One which is part of a Windows domain which uses cross-realm trust with a MIT KDC to perform login. In this case the password change does not appear to work on expiration." Has anyone found a way to solve the above problem ? or is this still a limitation of the interoperability between MIT Kerberos KDC and windows client ? 2. Quoting from the paper of Michael Swift, Irina Kosinovsky and Johathan Trostle titled Implementation of Crossrealm Referral Handling in the MIT Kerberos Client: "The Windows 2000 client does not canonicalize names at all, so the short name is sent to the KDC." Hence, if my understanding is correct, a request for service: host...
Request to change MIT Kerberos behavior when principal is expired, deleted or password changed
Hi everyone, I would like to request a change in how MIT Kerberos behaves. I would like for KDC's to reject all requests to issue or renew tickets if the principal is deleted or expired. On a different note, it couldn't hurt to discuss rejecting old tickets after a password change as well. The current behavior is that a valid ticket may be renewed even if the principal has expired, the principal is deleted or the password has been changed after tickets were issued. I appreciate any help in how to request this. Thanks, Jason -------------------------------------------...
Password change (MIT kerberos & Windows AD)
Hi I have following problem. MIT kerberos working together with Windows 2000 domain with cross-realm trust. Users can authenticate themselves in W2K workstation against MIT kerberos realm. As I see everything works fine with authentication. But.... When user attempts to change his/her Kerberos password password change attempt fail with following error: "Unable to change the password on this account due to the following error: 1326: Logon Failure : unknown user name or bad password" Currently we have implemented Kerberos user names with first capital letter. For testing purpouse I created user name with only small letters. And Voila. Password changed successfully. So when user name consist only small letters password change works but when user name first letter is capitalized password change does not work..... Where is the problem???? ****** kdc.log Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3 1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3 tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3 1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3 tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated (retransmitted?) request from 192.168.0.100, resending previous response Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated (retransmitted?)...
RHEL6 not forcing password change when logging in with expired kerberos password
Hello I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 forcing users to change their kerberos password when it is expired. RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I log in. The RHEL6 server knows the kerb pw is expired (and shows the message "Warning: password has expired.") but then continues to give me an interactive session (albeit without a valid ticket - klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_541)). Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted...
Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mwang@SYSTEST.abc.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_1023 Default principal: mwang@SYSTEST.abc.COM Valid starting Expires Service principal 10/31/03 17:53:08 11/01/03 03:50:48 krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM renew until 11/01/03 17:53:08 Kerberos 4 ticket cache: /tmp/tkt1023 klist: You have no tickets cached ===========> Then I tried to run adduser program, I made a little change to the code to set some default values. Here is the result: (New user account is: nweuser) LDAP service name: ldap@bloomber-vy45cz.systest.abc.com ==> client_establish_context Sending init_sec_context token (size=1254)... 60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05 61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b 15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45 52...
MIT Kerberos password change
I have a MIT Kerberos with ldap backend. I change my password simple with kadmin or kpasswd, but now I want include our designers and some other people include in the kerberos auth. But I can't show them, how they can change the password on the command line :P So, is there any nice webinterface to change a kerberos password? Thanks ...
MIT Kerberos clients and Windows KDC
Hi all, I am trying to make an embedded device part of the windows domain and use windows DC as KDC for my embedded divice. Embedded device has MIT Kerberos. I am using GSS API . * How can we get the TGT for the server programatically ( transperently ) with out user intervention ? * If the device restarts, then do I need to store the TGT in persistent memory ? * If I am not wrong, microsoft adds the PAC data which no limitation of size. I have memory constraints. Is it required to store the TGT in non volatile memory ? I need this info since I am trying to find in case if the embedded device reboots ,then do I need to store the TGT in non volatile memory or I can get it again after the device comes up. * Assuming that a client is accessing services on embedded device via Kerberos and there is already a successful kerberos session is established. If at this point, if the embedded device reboots and the device gets TGT again, will it alter the communication in any way ? Could anybody please respond to these queries? Regards in article 1132304089.372626.30620@g49g2000cwa.googlegroups.com, sandypossible@gmail.com at sandypossible@gmail.com wrote on 11/18/05 2:54 AM: > Hi all, > > I am trying to make an embedded device part of the windows domain and > use windows DC as KDC for my embedded divice. Embedded device has MIT > Kerberos. I am using GSS API . > > * How can we get the TGT for the server programatically ( transperently > ) with out u...
Change password without old password in kerberos 5 on linux
Hello I'm having a problem changing a user's password, in the event that they forgot their password. I'm creating a CGI script in C, since we're trying to automate forgotten password. I can use the script to change a user's password by using the function krb5_get_init_creds_password in krb5.h. Unfortunately I can't use the function krb5_change_password without calling the previous function. I've read that krb5_get_init_creds_password creates a TGT for the user, so he or she is able to change their password. But the idea is that the user can change their password without authenticating with their old password first. Is this possible? Hope you all can help! Regards Claus Nielsen ...
Kerberos password expiration
Hello All, I am searching the right way to implement a password expiration in base of users. My goal is to set the password expiration of the users into 90 Days, but is not that clear how it works. I have the users already working, but now how i can set a password expiration policy? Any hint (i have googled a little, but i don't find anything interesting) is well accepted. Cordially, Claudio Prono. -- -------------------------------------------------------------------------------- Claudio Prono OPST System Developer ...
Changing password with MIT Kerberos for Windows 2.5
Hello everyone: I've downloaded and installed MIT Kerberos for Windows 2.5 on a Windows XP system. I've configured it to connect to a Heimdal KDC, a non windows realm. I'm able to obtain a ticket using Leash Kerberos Ticket Manager and the kinit utility from the command line. The problem I'm having is not being able to change the password from Leash and not having a kpasswd utility available. The error I get, using Leash, when I attempt to change the password is: "could not connect to server." Can I do it from the command line? How do I obtain a kpasswd utitility to change the password. Can somebody help me... Thanks! -Ruben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Ruben" == Ruben Becerra <Ruben.H.Becerra@jpl.nasa.gov> writes: Ruben> Hello everyone: I've downloaded and installed MIT Kerberos Ruben> for Windows 2.5 on a Windows XP system. I've configured it Ruben> to connect to a Heimdal KDC, a non windows realm. I'm able Ruben> to obtain a ticket using Leash Kerberos Ticket Manager and Ruben> the kinit utility from the command line. The problem I'm Ruben> having is not being able to change the password from Leash Ruben> and not having a kpasswd utility available. I'm not sure this is the problem you are having, but until fai...
linux clients for W2K domains. (key words samba kerberos ldap winbind clients)
I want to have my linux workstations (20-30 of them) authenticate against the domain and automount user home directories into /home/username. (rather like a NIS domain does for our Solaris network). The howtos I am reading on this topic seem to refer to linux and windows clients talking to samba servers. I do have one linux server on the domain but the users home shares (for normal Windows sessions) are on a W2K fileserver and to get the linux server authenticating for users web spaces I have used pam_smd and the users are all known to the linux server because they have accounts on it. Wher...
Kerberos Password change over WWW
Hi, I'm using Linux, OpenLDAP and MIT Kerberos with mod_auth_kerb over SSL for website authentication and single-sign-on. Is there an open-source product that is secure and will permit password changes to kerberos via the web (e.g. .cgi program or similar). I am expecting the user to have already authenticated with their existing username / password - this is so they can then change their current password. Thanks, Brett ...
Kerberos password change specification
Hello. I was wondering where is the specification for the original Kerberos Change Password protocol, as I could not find it so far. RFC 3244 only details the Windows extension, and for what I've seen of RFC 1510, there is no mention of how the Password change actually works. (or I've missed it somehow) Why does RFC 1510 refer to the password change service (example: "(The password-changing request must not be honored unless the requester can provide the old password (the user's current secret key)"), but not actually specify how it works, or refer to some other document that does? I've searched a bit more and found these documents: http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-00 Are these the specifications? If so, why are these still drafts, whereas Kerberos is fairly old and mature? I'm not familiar with Kerberos history unfortunately, so I'm confused by this. Regards -- Bruno Medeiros ...
password expiration field set to none after password change
Is there a way to set the 'password expiration' field with modprinc ( pwexpire) to be constant. Currently I've set it at @ 30 days. When this date is reached , the user changes their expiring password, which is all good. However the password expiration field is then reset to 'None': Password expiration date: [none] I have a script that goes round and changes the expiration for another 30 days, so that's OK. But is there a way the value for password expiration can be constant and not reset. (using aix nas/kerberos 5) Thanks pete On Wed, 2010-10-13 at 11:23 -0400, peter sands wrote: > I have a script that goes round and changes the expiration for another > 30 days, so that's OK. But is there a way the value for password > expiration can be constant and not reset. Create a password policy, set its maxlife parameter, and associate that policy with the user principals (perhaps with a script). Example: addpol -maxlife "30 days" users modprinc -policy users user1 Or, if you already have a password policy for user principals, just use something like: modpol -maxlife "30 days" policyname > (using aix nas/kerberos 5) I think the functionality I've described has been in MIT krb5 for a long time, and thus should be present in the version you're using, but I can't be certain. thanks that works pete ...
How to change the password password expiration time- using a telephone
I need to reset a Norstar Call Pilot "password expiration time" to "0" , by using a telephone. I do not want to keep having to changing the password. -- posted via http://forums.cabling-design.com/telecomtech/how-to-change-the-password-password-expiration-time-using-a-5972-.htm using Cabling-Design's Web, RSS and Social Media Interface to comp.dcom.telecom.tech and other telecom groups ...
krb5-kdc: Cannot change passwords if password history is used
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, we recently updated our master KDC from Debian Lenny to Debian Squeeze. This included a kerberos upgrade from 1.6 to 1.8. After the update several users were not able anymore to change their passwords, no matter if kpasswd or kadmin.local was used: change_password: Message size is incompatible with encryption type while changing password for "tex1@UNI-PADERBORN.DE". All our user principals use a policy which sets a password history of 6. The problem disappeared as we set the history to 1, so that no history was used at all. Further investigation showed the involved code parts: #0 krb5_k_decrypt (context=0x6129f0, key=0x636fc0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:54 #1 0x00007ffff6c31739 in krb5_c_decrypt (context=0x6129f0, keyblock=0x7fffffffc2f0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:100 #2 0x00007ffff77a4171 in krb5_dbekd_def_decrypt_key_data (context=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/decrypt_key.c:92 #3 0x00007ffff77a3c67 in krb5_dbekd_decrypt_key_data (kcontext=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/kdb5.c:2481 #4 0x00007ffff79c27be in check_pw_reuse (context=0x6129f0, mkey=0x6171b0, hist_keyblock=0x7fff...
Kerberos password forced expiration fail
I am running the following configuration: Kerberos 1.4.0 Solaris 9 /usr/lib/ssh/sshd, /usr/bin/ssh /usr/lib/security/pam_krb5.so.1 My /etc/pam.conf for sshd is: sshd auth sufficient pam_krb5.so.1 try_first_pass sshd auth required pam_unix.so.1 I've even included the password entry into the pam.conf other password sufficient pam_krb5.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 Here is my problem. Using kadmin, I force expire the password using: kadmin> modprinc -pwexpire now <principal> After expiration, I then use ssh to log onto a kerberos client, using the expired kerberos password. I've modified the local shadow file so that the password field is an "*"! After expiration, I am still able to log onto the server. If I expire the shadow file, then I am challenged for a password change... the password change, via the pam.conf password entry will change the kerberos password and leave the shadow file with the 0 in the time field of the shadow file, thus the next time a password is requested, it will again show the password has expired for that server. How do I get the sshd / pam_krb5.so.1 to recognize that the kerberos password has expired??? kinit will show that the password in kerberos has expired... but that doesn't help me to insure ...
Fw: Kerberos Password change over WWW
Brett Delle Grazie <bdellegrazie@hotmail.com> wrote: > Is there an open-source product that is secure and will permit > password changes to kerberos via the web (e.g. .cgi program or > similar). I am expecting the user to have already authenticated with > their existing username / password - this is so they can then change > their current password. Try kpasswd.cgi from here: http://www.umich.edu/~umweb/software/ <<CDC ...
question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...
Can a user which "password is expired" change its own password?
Hi, Obviously, the ALTER USER statement to change an expired password works from an existing connection. But can a user - with an expired password - change his/her password? -- With regards, Martijn Tonies Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL Server Upscene Productions http://www.upscene.com Martijn Tonies wrote: > Hi, > > Obviously, the ALTER USER statement to change an expired password > works from an existing connection. > > But can a user - with an expired password - change his/her password? Depends on whether there is a...
How to synchronize the change of a user password in Kerberos and OpenLDAP.
Hi everybody, I have the following situation. I have a Debian enviroment with user accounts centralized with Kerberos and OpenLDAP for more information of that users. In kerberos y have the hash of the users of the debian system and in OpenLDAP too because there is many web applications that use that LDAP. The problem is the password change. How can I do that a user could do "passwd" in debian system and the password update in Kerberos and LDAP system? can be done with pam system in commom-.password? Thank you everybody. Sorry about my english. Regards Jeluks ...
Can't change kerberos password
I have kerberos authentication installed on my Solaris 8 x86 machine, and I can login fine using my AD credentials. When I try and change my password with kpasswd I get the following error 'kpasswd: unable to get host based service name for realm myrealm.net ' I have the krb5.conf file pointing to our AD domain controller. Is there any special setup for kpasswd in the krb5.conf file? thank you, Tyson Oswald ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Can't change password in Kerberos !
Hi all I installed a KDC named ker1.eab.com.vn successfully with krb5-1.6 version, then I add a principal named hung@EAB.COM.VN. These above step go through smoothly, but there is a trouble when I change password for hung@EAB.COM.VN. kpasswd Password for hung@EAB.COM.VN: Enter new password: : Enter it again: : kpasswd: Connection timed out changing password After that I come to Window OS computer, and install kfw-3.2 in it. I get the ticket for hungtt@EAB.COM.VN, and change the password. This software show me following error : "requested protocol version not supported" The same action on other Linux client, and another error : "requested protocol version not supported changing password" It take a lot of time for me to search Internet without any good result. Please help me find out this problem. Thank you very much Hung Ta ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Password Changing failing from Windows to MIT KDC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I posted on this a few days ago but haven't received any replies, so I figure it may have fallen through the cracks. It seems that with the current release of KfW, password changing fails to either a 1.3.4 or 1.4.2 KDC. Yet, earlier versions of KfW don't have this problem. Similarly with Windows native Kerberos password changing. I haven't done testing of the latter myself, but a colleague who works on Windows has. The message he receives is this: Server error: Failed decrypting request The KDC logs show a successful issuing of the kadmin/changepw service credential, but no further action indicating a change password transaction. I suspected a client host firewall problem (re: UDP 464), but the problem continues even with no firewall rules in place. Has something changed with the new versions of KfW? Thanks. Mike _____________________________________________________________________ Mike Friedman System and Network Security mikef@ack.Berkeley.EDU 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu _____________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBQwpeNa0bf1iNr4mCEQJMfACguSLN/kmNmUtxMo5ycWBKe6kUtCoAn3ns ExreoCkJTbrHJ/AYjkQSQ18u =9jE3 -----END PGP SIGNATURE----- __________________________________...
Hello, I've been experimenting with heimdal kerberos on the cross-realm authentication, for windows 2000 clients to authenticate to heimdal KDC, and just found out that there seems to be a problem with the changing password interoperability between the win2k client and heimdal KDC. Therefore, I intend to switch to MIT Kerberos but need to confirm the interoperability features of MIT KDC and windows clients: 1. Is the any issue of change password incompatibility between MIT KDC and windows clients ? Will a user from a win2k / winXP machine be able to change his/her password in MIT KDC using ctrl-alt-del or when the password is expired ? In the following link: http://mailman.mit.edu/pipermail/kerberos/2004-April/005326.html, Jeffrey Altman wrote: "I have just tested MIT KDC 1.3.3 with two machines. One which is part of a Windows domain which uses cross-realm trust with a MIT KDC to perform login. In this case the password change does not appear to work on expiration." Has anyone found a way to solve the above problem ? or is this still a limitation of the interoperability between MIT Kerberos KDC and windows client ? 2. Quoting from the paper of Michael Swift, Irina Kosinovsky and Johathan Trostle titled Implementation of Crossrealm Referral Handling in the MIT Kerberos Client: "The Windows 2000 client does not canonicalize names at all, so the short name is sent to the KDC." Hence, if my understanding is correct, a request for service: host...
Request to change MIT Kerberos behavior when principal is expired, deleted or password changed
Hi everyone, I would like to request a change in how MIT Kerberos behaves. I would like for KDC's to reject all requests to issue or renew tickets if the principal is deleted or expired. On a different note, it couldn't hurt to discuss rejecting old tickets after a password change as well. The current behavior is that a valid ticket may be renewed even if the principal has expired, the principal is deleted or the password has been changed after tickets were issued. I appreciate any help in how to request this. Thanks, Jason -------------------------------------------...
Password change (MIT kerberos & Windows AD)
Hi I have following problem. MIT kerberos working together with Windows 2000 domain with cross-realm trust. Users can authenticate themselves in W2K workstation against MIT kerberos realm. As I see everything works fine with authentication. But.... When user attempts to change his/her Kerberos password password change attempt fail with following error: "Unable to change the password on this account due to the following error: 1326: Logon Failure : unknown user name or bad password" Currently we have implemented Kerberos user names with first capital letter. For testing purpouse I created user name with only small letters. And Voila. Password changed successfully. So when user name consist only small letters password change works but when user name first letter is capitalized password change does not work..... Where is the problem???? ****** kdc.log Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3 1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3 tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3 1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3 tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated (retransmitted?) request from 192.168.0.100, resending previous response Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated (retransmitted?)...
RHEL6 not forcing password change when logging in with expired kerberos password
Hello I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 forcing users to change their kerberos password when it is expired. RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I log in. The RHEL6 server knows the kerb pw is expired (and shows the message "Warning: password has expired.") but then continues to give me an interactive session (albeit without a valid ticket - klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_541)). Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted...
Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mwang@SYSTEST.abc.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_1023 Default principal: mwang@SYSTEST.abc.COM Valid starting Expires Service principal 10/31/03 17:53:08 11/01/03 03:50:48 krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM renew until 11/01/03 17:53:08 Kerberos 4 ticket cache: /tmp/tkt1023 klist: You have no tickets cached ===========> Then I tried to run adduser program, I made a little change to the code to set some default values. Here is the result: (New user account is: nweuser) LDAP service name: ldap@bloomber-vy45cz.systest.abc.com ==> client_establish_context Sending init_sec_context token (size=1254)... 60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05 61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b 15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45 52...
MIT Kerberos password change
I have a MIT Kerberos with ldap backend. I change my password simple with kadmin or kpasswd, but now I want include our designers and some other people include in the kerberos auth. But I can't show them, how they can change the password on the command line :P So, is there any nice webinterface to change a kerberos password? Thanks ...
MIT Kerberos clients and Windows KDC
Hi all, I am trying to make an embedded device part of the windows domain and use windows DC as KDC for my embedded divice. Embedded device has MIT Kerberos. I am using GSS API . * How can we get the TGT for the server programatically ( transperently ) with out user intervention ? * If the device restarts, then do I need to store the TGT in persistent memory ? * If I am not wrong, microsoft adds the PAC data which no limitation of size. I have memory constraints. Is it required to store the TGT in non volatile memory ? I need this info since I am trying to find in case if the embedded device reboots ,then do I need to store the TGT in non volatile memory or I can get it again after the device comes up. * Assuming that a client is accessing services on embedded device via Kerberos and there is already a successful kerberos session is established. If at this point, if the embedded device reboots and the device gets TGT again, will it alter the communication in any way ? Could anybody please respond to these queries? Regards in article 1132304089.372626.30620@g49g2000cwa.googlegroups.com, sandypossible@gmail.com at sandypossible@gmail.com wrote on 11/18/05 2:54 AM: > Hi all, > > I am trying to make an embedded device part of the windows domain and > use windows DC as KDC for my embedded divice. Embedded device has MIT > Kerberos. I am using GSS API . > > * How can we get the TGT for the server programatically ( transperently > ) with out u...
Change password without old password in kerberos 5 on linux
Hello I'm having a problem changing a user's password, in the event that they forgot their password. I'm creating a CGI script in C, since we're trying to automate forgotten password. I can use the script to change a user's password by using the function krb5_get_init_creds_password in krb5.h. Unfortunately I can't use the function krb5_change_password without calling the previous function. I've read that krb5_get_init_creds_password creates a TGT for the user, so he or she is able to change their password. But the idea is that the user can change their password without authenticating with their old password first. Is this possible? Hope you all can help! Regards Claus Nielsen ...
Kerberos password expiration
Hello All, I am searching the right way to implement a password expiration in base of users. My goal is to set the password expiration of the users into 90 Days, but is not that clear how it works. I have the users already working, but now how i can set a password expiration policy? Any hint (i have googled a little, but i don't find anything interesting) is well accepted. Cordially, Claudio Prono. -- -------------------------------------------------------------------------------- Claudio Prono OPST System Developer ...
Changing password with MIT Kerberos for Windows 2.5
Hello everyone: I've downloaded and installed MIT Kerberos for Windows 2.5 on a Windows XP system. I've configured it to connect to a Heimdal KDC, a non windows realm. I'm able to obtain a ticket using Leash Kerberos Ticket Manager and the kinit utility from the command line. The problem I'm having is not being able to change the password from Leash and not having a kpasswd utility available. The error I get, using Leash, when I attempt to change the password is: "could not connect to server." Can I do it from the command line? How do I obtain a kpasswd utitility to change the password. Can somebody help me... Thanks! -Ruben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Ruben" == Ruben Becerra <Ruben.H.Becerra@jpl.nasa.gov> writes: Ruben> Hello everyone: I've downloaded and installed MIT Kerberos Ruben> for Windows 2.5 on a Windows XP system. I've configured it Ruben> to connect to a Heimdal KDC, a non windows realm. I'm able Ruben> to obtain a ticket using Leash Kerberos Ticket Manager and Ruben> the kinit utility from the command line. The problem I'm Ruben> having is not being able to change the password from Leash Ruben> and not having a kpasswd utility available. I'm not sure this is the problem you are having, but until fai...
linux clients for W2K domains. (key words samba kerberos ldap winbind clients)
I want to have my linux workstations (20-30 of them) authenticate against the domain and automount user home directories into /home/username. (rather like a NIS domain does for our Solaris network). The howtos I am reading on this topic seem to refer to linux and windows clients talking to samba servers. I do have one linux server on the domain but the users home shares (for normal Windows sessions) are on a W2K fileserver and to get the linux server authenticating for users web spaces I have used pam_smd and the users are all known to the linux server because they have accounts on it. Wher...
Kerberos Password change over WWW
Hi, I'm using Linux, OpenLDAP and MIT Kerberos with mod_auth_kerb over SSL for website authentication and single-sign-on. Is there an open-source product that is secure and will permit password changes to kerberos via the web (e.g. .cgi program or similar). I am expecting the user to have already authenticated with their existing username / password - this is so they can then change their current password. Thanks, Brett ...
Kerberos password change specification
Hello. I was wondering where is the specification for the original Kerberos Change Password protocol, as I could not find it so far. RFC 3244 only details the Windows extension, and for what I've seen of RFC 1510, there is no mention of how the Password change actually works. (or I've missed it somehow) Why does RFC 1510 refer to the password change service (example: "(The password-changing request must not be honored unless the requester can provide the old password (the user's current secret key)"), but not actually specify how it works, or refer to some other document that does? I've searched a bit more and found these documents: http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-00 Are these the specifications? If so, why are these still drafts, whereas Kerberos is fairly old and mature? I'm not familiar with Kerberos history unfortunately, so I'm confused by this. Regards -- Bruno Medeiros ...
password expiration field set to none after password change
Is there a way to set the 'password expiration' field with modprinc ( pwexpire) to be constant. Currently I've set it at @ 30 days. When this date is reached , the user changes their expiring password, which is all good. However the password expiration field is then reset to 'None': Password expiration date: [none] I have a script that goes round and changes the expiration for another 30 days, so that's OK. But is there a way the value for password expiration can be constant and not reset. (using aix nas/kerberos 5) Thanks pete On Wed, 2010-10-13 at 11:23 -0400, peter sands wrote: > I have a script that goes round and changes the expiration for another > 30 days, so that's OK. But is there a way the value for password > expiration can be constant and not reset. Create a password policy, set its maxlife parameter, and associate that policy with the user principals (perhaps with a script). Example: addpol -maxlife "30 days" users modprinc -policy users user1 Or, if you already have a password policy for user principals, just use something like: modpol -maxlife "30 days" policyname > (using aix nas/kerberos 5) I think the functionality I've described has been in MIT krb5 for a long time, and thus should be present in the version you're using, but I can't be certain. thanks that works pete ...
How to change the password password expiration time- using a telephone
I need to reset a Norstar Call Pilot "password expiration time" to "0" , by using a telephone. I do not want to keep having to changing the password. -- posted via http://forums.cabling-design.com/telecomtech/how-to-change-the-password-password-expiration-time-using-a-5972-.htm using Cabling-Design's Web, RSS and Social Media Interface to comp.dcom.telecom.tech and other telecom groups ...
krb5-kdc: Cannot change passwords if password history is used
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, we recently updated our master KDC from Debian Lenny to Debian Squeeze. This included a kerberos upgrade from 1.6 to 1.8. After the update several users were not able anymore to change their passwords, no matter if kpasswd or kadmin.local was used: change_password: Message size is incompatible with encryption type while changing password for "tex1@UNI-PADERBORN.DE". All our user principals use a policy which sets a password history of 6. The problem disappeared as we set the history to 1, so that no history was used at all. Further investigation showed the involved code parts: #0 krb5_k_decrypt (context=0x6129f0, key=0x636fc0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:54 #1 0x00007ffff6c31739 in krb5_c_decrypt (context=0x6129f0, keyblock=0x7fffffffc2f0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:100 #2 0x00007ffff77a4171 in krb5_dbekd_def_decrypt_key_data (context=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/decrypt_key.c:92 #3 0x00007ffff77a3c67 in krb5_dbekd_decrypt_key_data (kcontext=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/kdb5.c:2481 #4 0x00007ffff79c27be in check_pw_reuse (context=0x6129f0, mkey=0x6171b0, hist_keyblock=0x7fff...
Kerberos password forced expiration fail
I am running the following configuration: Kerberos 1.4.0 Solaris 9 /usr/lib/ssh/sshd, /usr/bin/ssh /usr/lib/security/pam_krb5.so.1 My /etc/pam.conf for sshd is: sshd auth sufficient pam_krb5.so.1 try_first_pass sshd auth required pam_unix.so.1 I've even included the password entry into the pam.conf other password sufficient pam_krb5.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 Here is my problem. Using kadmin, I force expire the password using: kadmin> modprinc -pwexpire now <principal> After expiration, I then use ssh to log onto a kerberos client, using the expired kerberos password. I've modified the local shadow file so that the password field is an "*"! After expiration, I am still able to log onto the server. If I expire the shadow file, then I am challenged for a password change... the password change, via the pam.conf password entry will change the kerberos password and leave the shadow file with the 0 in the time field of the shadow file, thus the next time a password is requested, it will again show the password has expired for that server. How do I get the sshd / pam_krb5.so.1 to recognize that the kerberos password has expired??? kinit will show that the password in kerberos has expired... but that doesn't help me to insure ...
Fw: Kerberos Password change over WWW
Brett Delle Grazie <bdellegrazie@hotmail.com> wrote: > Is there an open-source product that is secure and will permit > password changes to kerberos via the web (e.g. .cgi program or > similar). I am expecting the user to have already authenticated with > their existing username / password - this is so they can then change > their current password. Try kpasswd.cgi from here: http://www.umich.edu/~umweb/software/ <<CDC ...
question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...
Can a user which "password is expired" change its own password?
Hi, Obviously, the ALTER USER statement to change an expired password works from an existing connection. But can a user - with an expired password - change his/her password? -- With regards, Martijn Tonies Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL Server Upscene Productions http://www.upscene.com Martijn Tonies wrote: > Hi, > > Obviously, the ALTER USER statement to change an expired password > works from an existing connection. > > But can a user - with an expired password - change his/her password? Depends on whether there is a...
How to synchronize the change of a user password in Kerberos and OpenLDAP.
Hi everybody, I have the following situation. I have a Debian enviroment with user accounts centralized with Kerberos and OpenLDAP for more information of that users. In kerberos y have the hash of the users of the debian system and in OpenLDAP too because there is many web applications that use that LDAP. The problem is the password change. How can I do that a user could do "passwd" in debian system and the password update in Kerberos and LDAP system? can be done with pam system in commom-.password? Thank you everybody. Sorry about my english. Regards Jeluks ...
Can't change kerberos password
I have kerberos authentication installed on my Solaris 8 x86 machine, and I can login fine using my AD credentials. When I try and change my password with kpasswd I get the following error 'kpasswd: unable to get host based service name for realm myrealm.net ' I have the krb5.conf file pointing to our AD domain controller. Is there any special setup for kpasswd in the krb5.conf file? thank you, Tyson Oswald ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Can't change password in Kerberos !
Hi all I installed a KDC named ker1.eab.com.vn successfully with krb5-1.6 version, then I add a principal named hung@EAB.COM.VN. These above step go through smoothly, but there is a trouble when I change password for hung@EAB.COM.VN. kpasswd Password for hung@EAB.COM.VN: Enter new password: : Enter it again: : kpasswd: Connection timed out changing password After that I come to Window OS computer, and install kfw-3.2 in it. I get the ticket for hungtt@EAB.COM.VN, and change the password. This software show me following error : "requested protocol version not supported" The same action on other Linux client, and another error : "requested protocol version not supported changing password" It take a lot of time for me to search Internet without any good result. Please help me find out this problem. Thank you very much Hung Ta ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Password Changing failing from Windows to MIT KDC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I posted on this a few days ago but haven't received any replies, so I figure it may have fallen through the cracks. It seems that with the current release of KfW, password changing fails to either a 1.3.4 or 1.4.2 KDC. Yet, earlier versions of KfW don't have this problem. Similarly with Windows native Kerberos password changing. I haven't done testing of the latter myself, but a colleague who works on Windows has. The message he receives is this: Server error: Failed decrypting request The KDC logs show a successful issuing of the kadmin/changepw service credential, but no further action indicating a change password transaction. I suspected a client host firewall problem (re: UDP 464), but the problem continues even with no firewall rules in place. Has something changed with the new versions of KfW? Thanks. Mike _____________________________________________________________________ Mike Friedman System and Network Security mikef@ack.Berkeley.EDU 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu _____________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBQwpeNa0bf1iNr4mCEQJMfACguSLN/kmNmUtxMo5ycWBKe6kUtCoAn3ns ExreoCkJTbrHJ/AYjkQSQ18u =9jE3 -----END PGP SIGNATURE----- __________________________________...
Web resources about - MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue - comp.protocols.kerberos
Kerberos (protocol) - Wikipedia, the free encyclopediaMIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...
Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen insteadBAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.
Meet Pluto's smallest moons: Kerberos and StyxPluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.
Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...
Meet Styx and Kerberos, Pluto's newly named moons... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...
Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...
Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...
Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - GeekosystemFirst the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...
Kerberos unleashed at last: Pluto’s dog-bone moon poses another mysteryNASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...
Resources last updated: 3/10/2016 11:05:21 PM