kpasswd lies

[David Komanek <xdavid@lib-eth.natur.cuni.cz>]

Hi all,

although I have still unresolved questions in the list, I have new ones,
sorry :-)

I.
Unfortunately I got into the following situation: "primary" kdc and
kadmind were not running, so kpasswdd ran on another host than kdc.
According to man pages there is a need to run kpasswd on the same host as
primary kdc. In this situation user passwords are really not changed, but
kpasswd tells it was successfull on every attempt:

$ /usr/local/heimdal/bin/kpasswd
komanek@NATUR.CUNI.CZ's Password:
New password:
Verifying password - New password:
Success : Password changed

I consider it to be a bug, isn't it ?

II.
Another question: I use my own program to change passwords simultaneously
in various environments where the user has an account. One of them is
kerberos. After I verify the old password and verify the complexity of the
new password of the user, I subsequently call routines changing passwords
in various databases. My idea is to change password in heimdal directly,
without the need to run kpasswdd and reimplement code from kpasswd.c to my
own program. Another problem could be if kpasswdd would be accessible
for users directly - they could de-synchronize their passwords. How can
the direct password change on kdc be done via API (a working example is a
best answer for me :-) ?

Thanks in advance,

  David Komanek