M wrote:
> We use Active Directory to create User accounts and make the person
> change his/her password the first time he/she logs on to any of our
> machines (linux or windows). Changing password on the Windows machines
> works just fine but no one can change their passwords on a linux
> machine. Not just the first time, but ever.
>
> [user@machine ~]$ passwd
> Changing password for user username.
> Kerberos 5 Password:
> New UNIX password:
> Retype new UNIX password:
>
> After this it just hangs. The password never gets changed. i found
> pre-authentication failure kadmin/changepw...failure code 0x19. in the
> kdc admin-server event log which corresponds to "additional
> pre-authentication required." I googled that but couldn't find a way
> to fix that failure. I don't see anything in the logs on the linux
> machine that I'm trying to change my password on.

Have you tired using the "kpasswd" command instead of "passwd"?

<

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Yep. Tried that. Same behavior. Its not just one linux machine, its
all linux machines that do this. So its something thats set
environment wide...I've ruled out the firewall...not sure what else it
could be.

Thx

Q

On 4/3/07, Christopher D. Clausen wrote:
> M wrote:
> > We use Active Directory to create User accounts and make the person
> > change his/her password the first time he/she logs on to any of our
> > machines (linux or windows). Changing password on the Windows machines
> > works just fine but no one can change their passwords on a linux
> > machine. Not just the first time, but ever.
> >
> > [user@machine ~]$ passwd
> > Changing password for user username.
> > Kerberos 5 Password:
> > New UNIX password:
> > Retype new UNIX password:
> >
> > After this it just hangs. The password never gets changed. i found
> > pre-authentication failure kadmin/changepw...failure code 0x19. in the
> > kdc admin-server event log which corresponds to "additional
> > pre-authentication required." I googled that but couldn't find a way
> > to fix that failure. I don't see anything in the logs on the linux
> > machine that I'm trying to change my password on.
>
> Have you tired using the "kpasswd" command instead of "passwd"?
>
> < >
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

M wrote:
> Yep. Tried that. Same behavior. Its not just one linux machine, its
> all linux machines that do this. So its something thats set
> environment wide...I've ruled out the firewall...not sure what else it
> could be.

What does your krb5.conf file look like?

Do you have an "admin_server" specified for your realm?

<

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Yes I do. My default REALM is also correct. I can ping my admin-server
just fine. I've recreated the keytab file to make sure that wasn't the
problem.
Here's the krb5.conf:

[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = true
dns_lookup_kdc = false
forwardable = true
proxiable = true
default_keytab_name = FILE:/etc/krb5.keytab

[realms]
TEST.COM = {
default_domain = TEST.COM
kdc = server1.test.com
kdc = server2.test.com
admin_server = server1.test.com
}

[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
krb4_convert = false
forward = true
encrypt = true
}

I can get a ticket just fine if I try kinit@TEST.COM or klist to see
the tickets after logging in.

Thanks

Q

On 4/3/07, Christopher D. Clausen wrote:
> M wrote:
> > Yep. Tried that. Same behavior. Its not just one linux machine, its
> > all linux machines that do this. So its something thats set
> > environment wide...I've ruled out the firewall...not sure what else it
> > could be.
>
> What does your krb5.conf file look like?
>
> Do you have an "admin_server" specified for your realm?
>
> < >
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos