When utilizing Microsoft AD as a KDC against MIT clients, I am seeing the following error/warning when changing passwords via kpasswd:
kpasswd: Incorrect net address changing password The password *is* properly changed, but this message displays. Here's the rub: The KDC being used for the password change is a microsoft RODC (read only domain controller). The MS specs for this state that when a password change request is received by the RODC, it "forwards" this on the clients behalf to a writable domain controller (WDC). So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass from the client to the RODC followed by the actual kpasswd exchange. Looking at just this exchange you would think that the RODC is servicing this request... As stated however, the RODC actually "forwards" each of these requests to a WDC which is actually providing the answer back to the RODC to be "proxied" back to the client. So we see these 4 exchange packets also pass between the RODC and the WDC - the only apparent difference is the source and destination IP addresses. I'm not sure if this "forwarding" of requests is based upon a standard Kerberos protocol, or if it something designed specifically as a MS extension. I'm also not sure what is contained within the exchange that would cause the client to provide the "Incorrect net address" error as I see no IP addresses or server names within the exchanges. I know that this "forwarding" is causing the error, because it does not exhibit itself when changing directly on the WDC. Can someone provide any insight into this? Thanks very much. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos