kpasswd TCP implementation

Luke Howard lukeh at
Mon Jun 26 23:20:02 GMT 2006

>3) We still see a problem in the case of a  user belonging to 1500 groups or more -  the W2k3 server in our lab will not accept a password change (returns a
>kerberos "KRB5_KPASSWD_HARDERROR if I recall correctly").  We traced a Windows XP change password in the case where the password had expired and XP prompted
>for a password change before reattempting the login (which will fail regardless - see below).  We see it using an MS-RPC mechanism to change the password
>instead of Kerberos.  We plan to experiment with requesting a ticket from the W2k3 server that does not contain the PAC and use it to attempt the passworrd
>change, but have not done this yet.  I would hate to have to implement the RPCs but it might be the only way...

Windows clients always use SAMR to change passwords.

They will use kpasswd to set passwords from MMC though.

-- Luke


More information about the samba-technical mailing list