[30986] in Kerberos
Re: computer account change password with Windows 2008 domain
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Apr 8 17:43:50 2009
Message-ID: <49DD1A7B.6090700@anl.gov>
Date: Wed, 08 Apr 2009 16:43:23 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: sanjayk.cse@gmail.com
In-Reply-To: <49DD131E.5050901@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The hotfix 951191 fixed this problem too...
Douglas E. Engert wrote:
> I have run it to a similar problem in the last two day, as we have some W2008 DCs
> and some W2003 DCs. The msktutil program to add computer accounts and create keytab
> files then change the password uses the krb5_set_password_using_ccache with the
> admin creds and the change_password_for set to the principal of the machine.
>
> This is the same method used by the MIT ksetpwd command that is bbuilt but
> not installed.
>
> Both the ksetpwd and msktutil fail with an error of 3 "Autnenticatrion Error"
> to W2008 DCs but work on W2003 DCs.
>
> But if instead of the host/fqdn@realm as the principal,
> I can use samAccountName (without the $) and it will change the password.
>
> So can you try the kpasswd with the account name?
>
> I think this is a known bug in W2008, but have not tracked down the hotfix if any yet.
>
> This may have something to do with with smart card support in W2008, where
> the userPrincipalName is now being used to match what is in the
> UPN of a certificate and it does not have to be in the local realm!
>
>
> sanjayk.cse@gmail.com wrote:
>> I have migrated from Windows 2003 AD server to Windows 2008 AD
>> server.
>> With Windows 2003 AD , every thing is working fine . With the
>> Windows 2008 AD server I am getting "KRB5_KPASSWD_AUTHERROR"
>> error in reply of KPASSWD .
>> I had earlier heimdal0.6 . I learn that heimdal 1.2 is
>> compatible with windows2008/vista . I integrated the heimdal 1.2 .
>> but no improvement .Have some experience the similar kind of issue?
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
