"Smith, Matt" writes:

> All-
>
> I have a need to programmatically reset passwords in our MIT Kerberos
> (1.4.4) realm from Windows (2003 R2), authenticating with a "/admin"
> account and keytab. I am very early in the process, but since I have
> never worked with the MIT libs before, I am hoping someone can wave me
> away from pitfalls in my description below.


Unfortunately, you're in for an adventure, since there is no exposed
library API for the MIT kadmin protocol.

> I will either extend the filter to call into the MIT libs directly, or
> "CreateProcess" a Perl script using "Authen::Krb5::Admin" -- but either
> approach appears to require the MIT libs. We have many more Perl monks
> than C ninjas around here, so for maintainability, I am leaning in the
> CreateProcess/Perl direction.


Authen::Krb5::Admin embeds assumptions about the non-exposed kadmin
library API that may break with later releases of the library, but if you
can get that to work, it's one useful approach. However, I have no idea
if anyone has ever tried on Windows.

> Perusing the source bundles, I do see that it is possible to compile
> on Windows. I have not yet extensively studied the API, but I guess I
> am looking to authenticate an "/admin" princ with a keytab, and issue
> the equivalent of a cpw -pw .


Yup.

> 4) Has anyone done this, and could share any code or documentation?


We took an end-run around this problem and instead use:

http://www.eyrie.org/~eagle/software/kadmin-remctl/

to provide a remctl interface to kadmin calls. This still requires that
you get remctl working on Windows, though. It may or may not be easier
than getting the kadmin libraries working on Windows. I'm not sure.
There is a Perl module available for remctl, but it depends on the Unix
library and I have as yet not had time to incorporate the Windows build
patches into a remctl release:

http://www.eyrie.org/~eagle/software/remctl/

There is, however, a Java client, if that helps any.

--
Russ Allbery (rra@stanford.edu)