I am relatively new to kerberos, and as part of the installation of freeipa, I am writing a script to be used by Samba for password changes. I read about kadmin.local but the man pages says
"If the database is LDAP, kadmin.local need not be run on the KDC." so I am unable to use it instead of kadmin that requires a password that I do not understand very well how to supply, The fist time I started the kadmin service on a CentOS server, it says it was adding a few principals with these two commands /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:[EMAIL PROTECTED] kadmin/changepw${KRB5REALM:[EMAIL PROTECTED]" /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:[EMAIL PROTECTED]" 2> /dev/null && success This immediately disabled the usage of kpasswd (unable to find KDC error) or kinit with a expired password how can I use the network version of kadmin in order to change a user password? which principal can i use with the right privileges: "change_password: Operation requires ``change-password'' privilege while changing password for ..." do kadmin only replaces the password? or do it reset last password change date/time and related fields? Thanks in advance ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos