Kerberos – Can’t change passwords

[mcnaugha]

At first thought we were having a problem with the Windows PDC not allowing PC users to change their passwords… but it turns out it’s actually Kerberos that’s failing. I tried the Kerberos GUI tool on Mac OS X and it proved the problem is Kerberos. See the KDC log entry:

May 18 10:57:34 g5server.sjsschool.co.uk krb5kdc[205](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.3: REQUIRED PWCHANGE: [email protected] for krbtgt/[email protected], Password has expired
May 18 10:57:43 g5server.sjsschool.co.uk krb5kdc[205](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.3: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
May 18 10:57:44 g5server.sjsschool.co.uk krb5kdc[205](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.3: CHECK_PWS_ACCT: [email protected] for kadmin/[email protected], Cannot allocate memory

Seen this before? Any quick fixes other than tearing down my ODM and re-promoting?

I am just trying switching spnego off on Samba to see if I can by-pass this faulty KDC.

Thanks in advance

[mcnaugha]

I had to do a clean build in order to get the Windows XP clients to be able to change their passwords. Very annoying and time consuming.

This probably isn’t linked to Kerberos given that the Kerberos still cannot let me reset my password when it is set as ana option from Workgroup Manager.

All Windows XP clients need to have their local profiles flushed and profiles on the server need to be renamed and data manually migrated. What a nightmare!

[Author]

Posts