On 03/15/2011 06:32 PM, Brian Candler wrote: > On Tue, Mar 15, 2011 at 11:21:28AM -0400, Greg Hudson wrote: >> There are two steps involved in changing a Kerberos password. First, >> you request a kadmin/changepw ticket from the KDC using your old >> password; then, you send your new password to the kpasswd service, >> authenticated with the kadmin/changepw ticket. >> >> Based on your KDC logs, the first step is succeeding--at least, from the >> KDC's point of view. The second step is not, suggesting that the client >> has the wrong information for the kpasswd service, or that kadmind isn't >> running (the kpasswd service is normally implemented as part of >> kadmind). > And also: I believe that the kadmin service can't be located from DNS > information (not yet anyway). You have to configure it explicitly in > /etc/krb5.conf
as far as I know DNS SRV records for the kadmin service are not supported by MIT clients. However, SRV records for kpasswd (i.e. _kpasswd._udp.<Realm>) do work. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
