I'm not 100% on the mechanics at the AD side on how your change is still going through, but to avoid the error; Have you tested with setting within the realms definition of the AD realm, along with kdc entry, provide a kpasswd_server value pointing to the proper host you want the kpasswd exchange to take place with?
On Thu, Jun 4, 2015 at 5:02 PM, Ben H <bhen...@gmail.com> wrote: > When utilizing Microsoft AD as a KDC against MIT clients, I am seeing the > following error/warning when changing passwords via kpasswd: > > kpasswd: Incorrect net address changing password > > The password *is* properly changed, but this message displays. > > Here's the rub: > > The KDC being used for the password change is a microsoft RODC (read only > domain controller). > The MS specs for this state that when a password change request is received > by the RODC, it "forwards" this on the clients behalf to a writable domain > controller (WDC). > > So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass > from the client to the RODC followed by the actual kpasswd exchange. > Looking at just this exchange you would think that the RODC is servicing > this request... > > As stated however, the RODC actually "forwards" each of these requests to a > WDC which is actually providing the answer back to the RODC to be "proxied" > back to the client. > So we see these 4 exchange packets also pass between the RODC and the WDC - > the only apparent difference is the source and destination IP addresses. > > I'm not sure if this "forwarding" of requests is based upon a standard > Kerberos protocol, or if it something designed specifically as a MS > extension. > > I'm also not sure what is contained within the exchange that would cause > the client to provide the "Incorrect net address" error as I see no IP > addresses or server names within the exchanges. > > I know that this "forwarding" is causing the error, because it does not > exhibit itself when changing directly on the WDC. > > Can someone provide any insight into this? > > Thanks very much. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos