Re: kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?

[Michael B Allen <miallen@ioplex.com>]

On Sat, 15 Dec 2007 00:28:14 -0500
Michael B Allen <miallen@ioplex.com> wrote:

> If I kinit as the user who's password is being changed and use the ccache
> I get 'Malformed':
> 
>   $ kinit -f alice@EXAMPLE.COM
>   Password for alice@EXAMPLE.COM: 
>   $ ./kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM
>   New password for alice@EXAMPLE.COM: 
>   Verify password - New password for alice@EXAMPLE.COM: 
>   Malformed
>   ^^^^^^^^^
> 
> Can someone explain as to why the third version does not work?
> 
> Do I have to do an AS-REQ for kadmin/changepw if I'm not an admin?

As usual, nevermind. The answer is yes. You need to use a TGT for
kadmin/changepw to change your own password.

AD (and I'm sure most other identity management systems) do not let
you change your own password without supplying the current password
(unless you are an administrator or account operator). This reduces the
chance of exploited code or mischievous persons from resetting passwords
without the user's knowledge.

Ultimately I just needed to pass 'kadmin/changepw' to
krb5_get_init_creds_password. The resulting ccache can then be used
with krb5_set_password_using_ccache.

One thing that is odd is that the error returned by AD is
KRB5_KPASSWD_MALFORMED whereas the standard seems to indicate it should
be KRB5_KPASSWD_INITIAL_FLAG_NEEDED (or KRB5_KPASSWD_ACCESSDENIED would
have been good too).

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/