1) You need to have the latest Kerberos patches from Sun installed. There's a compatibility bug that's fixed along with the security fixes.
2) You need to have an entry for "kpasswd_protocol = SET_CHANGE". See the Sun krb5.conf man page to check my spelling, etc.
3) On Solaris 9 you need an entry for kpasswd_server or it will do a DNS lookup before it falls back to the admin_server entry. (Not documented, but pretty obvious if you look at snoop.)
4) Your Kerberos principal must match an otherwise-defined account on the machine. You can't just change some random principal's password.
I've seen 1 and 4 on Solaris 8, and 3 on Solaris 9. 2 is common to both. Solaris 7 and earlier has Kerberos 4, not K5/SEAM. No experience with Solaris 10 (yet).
At 6:18 PM -0400 4/4/04, [EMAIL PROTECTED] wrote:
Date: Fri, 2 Apr 2004 13:11:38 -0500 From: "Tareq Alrashid" <[EMAIL PROTECTED]> To: "'Tyson Oswald'" <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: RE: Can't change kerberos password on Active Directory with kpasswd Message-ID: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0086_01C418B4.070D0450" MIME-Version: 1.0 Precedence: list Reply-To: [EMAIL PROTECTED] Message: 9
This is a multi-part message in MIME format.
------=_NextPart_000_0086_01C418B4.070D0450 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Make sure you are using MIT Kerberos 'kpasswd', and NOT the Sun SEAM 1.0. I was bitten with this a year ago, while authentication works using Sun's tools their kpasswd is NOT compatible with MIT's.
hth, Tareq
- [EMAIL PROTECTED] - ITS Middleware 10900 Euclid Avenue, CRAWFORD 422, Cleveland, OH 44106-7072 USA - VOICE:1-216-368-3559, FAX:1-216-368-3165
|-->-----Original Message----- |-->From: [EMAIL PROTECTED] |-->[mailto:[EMAIL PROTECTED] On Behalf Of Tyson Oswald |-->Sent: Friday, April 02, 2004 09:47 |-->To: [EMAIL PROTECTED] |-->Subject: Can't change kerberos password on Active Directory |-->with kpasswd |--> |-->Hello, |--> |-->I have setup kerberos (to Aactive Directory) authentication |-->on Solaris 8 with SEAM 1.0. I can authenticate withut any |-->problems, but if I try and use kpasswd to change my |-->kerberos password I get the following error 'kpasswd: |-->unable to get host based service name for realm |-->myRealm.net'. My /etc/krb5/krb5.conf file looks like |--> |-->[libdefaults] |--> default_realm = MYREALM.NET |--> default_tkt_enctypes = des-cbc-md5 |--> default_tgs_enctype = des-cbc-md5 |--> |-->[realms] |--> MYREALM.NET = { |--> kdc = 192.168.0.252:88 |--> } |--> |-->I have looked on google and didn't see any references to |-->this error. Any help would be greatly appreciated. |--> |-->thank you, |--> |-->Tyson Oswald |--> |-->________________________________________________ |-->Kerberos mailing list [EMAIL PROTECTED] |-->https://mailman.mit.edu/mailman/listinfo/kerberos |-->
-- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [EMAIL PROTECTED], or [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos