kpasswd fails on remote, succeeds on local - Kerberos

This is a discussion on kpasswd fails on remote, succeeds on local - Kerberos ; Greetings, gurus: Assume the following: KDC = kdc.bogus.com kadmind listening on tcp port 749 kadmind listening on udp port 464 krb5kdc listening on udp 88 kdc.conf includes: [realms] BOGUS.COM = { ... kadmind_port = 749 } krb5.conf includes: [realms] BOGUS.COM ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: kpasswd fails on remote, succeeds on local

  1. kpasswd fails on remote, succeeds on local

    Greetings, gurus:

    Assume the following:

    KDC = kdc.bogus.com
    kadmind listening on tcp port 749
    kadmind listening on udp port 464
    krb5kdc listening on udp 88

    kdc.conf includes:
    [realms]
    BOGUS.COM = {
    ...
    kadmind_port = 749
    }

    krb5.conf includes:
    [realms]
    BOGUS.COM = {
    ...
    admin_server = kdc.bogus.com:749
    kpasswd_server = kdc.bogus.com:749
    }

    Remote host = bitty.bogus.com
    kdc.conf the same as above

    I can successfully change a user's password from the console
    of 'kdc', but not from the console of 'bitty'. From 'bitty',
    I execute:

    % kpasswd
    Password for @BOGUS.COM: (good so far)
    Enter new password: :
    Enter it again: : (long wait)
    kpasswd: Connection timed out changing password

    The KDC is issuing a changepw ticket, as seen by the logs on
    'kdc', but the transaction is never completed. I get the same
    failure whether I attempt the password change as or
    . Firewalls are not the issue, and I get the same
    results from all remote hosts. The logs on 'kdc' show no
    reason for the failure.

    Any clues?



  2. Re: kpasswd fails on remote, succeeds on local

    >
    > Greetings, gurus:
    > Assume the following:
    >
    > KDC = kdc.bogus.com
    > kadmind listening on tcp port 749
    > kadmind listening on udp port 464
    > krb5kdc listening on udp 88
    >
    > kdc.conf includes:
    > [realms]
    > BOGUS.COM = {
    > ...
    > kadmind_port = 749
    > }
    >
    > krb5.conf includes:
    > [realms]
    > BOGUS.COM = {
    > ...
    > admin_server = kdc.bogus.com:749
    > kpasswd_server = kdc.bogus.com:749
    > }
    >
    > Remote host = bitty.bogus.com
    > kdc.conf the same as above
    >
    > I can successfully change a user's password from the console
    > of 'kdc', but not from the console of 'bitty'. From 'bitty',
    > I execute:
    >
    > % kpasswd
    > Password for @BOGUS.COM: (good so far)
    > Enter new password: :
    > Enter it again: : (long wait)
    > kpasswd: Connection timed out changing password
    >
    > The KDC is issuing a changepw ticket, as seen by the logs on
    > 'kdc', but the transaction is never completed. I get the same
    > failure whether I attempt the password change as or
    > . Firewalls are not the issue, and I get the same
    > results from all remote hosts. The logs on 'kdc' show no
    > reason for the failure.
    >
    > Any clues?


    Examine the network traffic on the KDC: does the TCP connection to kadmind
    ever get established? Run kadmind in debug mode, and see what it says.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: kpasswd fails on remote, succeeds on local

    On Jun 26, 2006, at 00:24, bogus wrote:
    > KDC = kdc.bogus.com
    > kadmind listening on udp port 464



    > kpasswd_server = kdc.bogus.com:749


    And you say this worked from one of the machines? That surprises me
    a bit.

    Assuming this is just a typo in the email and you really specified
    464...

    > kpasswd: Connection timed out changing password
    >
    > The KDC is issuing a changepw ticket, as seen by the logs on
    > 'kdc', but the transaction is never completed. I get the same
    > failure whether I attempt the password change as or
    > . Firewalls are not the issue, and I get the same
    > results from all remote hosts. The logs on 'kdc' show no
    > reason for the failure.


    What does tcpdump show at the time?

    Does the KDC have multiple addresses? I don't think the kadmind code
    has been updated to deal well with that.

    Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread