I have run it to a similar problem in the last two day, as we have some W2008 DCs and some W2003 DCs. The msktutil program to add computer accounts and create keytab files then change the password uses the krb5_set_password_using_ccache with the admin creds and the change_password_for set to the principal of the machine.
This is the same method used by the MIT ksetpwd command that is bbuilt but not installed. Both the ksetpwd and msktutil fail with an error of 3 "Autnenticatrion Error" to W2008 DCs but work on W2003 DCs. But if instead of the host/f...@realm as the principal, I can use samAccountName (without the $) and it will change the password. So can you try the kpasswd with the account name? I think this is a known bug in W2008, but have not tracked down the hotfix if any yet. This may have something to do with with smart card support in W2008, where the userPrincipalName is now being used to match what is in the UPN of a certificate and it does not have to be in the local realm! [email protected] wrote: > I have migrated from Windows 2003 AD server to Windows 2008 AD > server. > With Windows 2003 AD , every thing is working fine . With the > Windows 2008 AD server I am getting "KRB5_KPASSWD_AUTHERROR" > error in reply of KPASSWD . > I had earlier heimdal0.6 . I learn that heimdal 1.2 is > compatible with windows2008/vista . I integrated the heimdal 1.2 . > but no improvement .Have some experience the similar kind of issue? > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
