Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Re^2: Change a user's Kerberos Password?

by 5mi11er (Deacon)
on Mar 26, 2009 at 13:52 UTC ( #753414=note: print w/replies, xml ) Need Help??

in reply to Re: Change a user's Kerberos Password?
in thread Change a user's Kerberos Password?

Ah, I'd not remembered you could inline C like that. I had similar C code from some other project I'd found on the 'net, but I wasn't looking forward to figuring out all the error checking I'd need between that executable and perl. Using this, I wouldn't have to worry about it as much.

But, I had continued my quest for a pure perl solution while waiting for replies to my question. I sent some email to one of the authors of the Kerberos modules, Jeff Horwitz, he sent the following code as a quick example of how he allows users to change their password. He states in his email:

here's some patched together code that should do the trick (insert your own username, password, and error checking):
use Authen::Krb5; use Authen::Krb5::Admin; Authen::Krb5::init_context(); my $kadm = Authen::Krb5::Admin->init_with_password($user, $pw); my $princ = Authen::Krb5::parse_name($user); my $rc = $kadm->chpass_principal($princ, $pw);
Being part of the "Admin" package, I had assumed that the chpass_principal method needed administrative access rights, apparently that assumption was incorrect. I've not yet tried it, but have no reason to believe it won't work. When I get a chance to try it out, hopefully by the end of today, I'll report back.

Update: Sorry for the delay, I had other projects that kept me from testing this until late last Friday. This doesn't work on an expired password as I need. The init_with_password method returns an error saying the password has expired, thus the $kadm object is invalid, and the chpass_principal method can not be called. Looks like its' back to the inline C code... -Scott

Replies are listed 'Best First'.
Re^3: Change a user's Kerberos Password?
by enemyofthestate (Scribe) on Jun 24, 2009 at 19:33 UTC

    Does anyone know how to to get Authen::Krb5::Admin->init_with_password to work with something besides the default realm?

    I tried:

    my $MSAD_HOST = "AD domain controller"; my $MSAD_DOMAIN = "AD domain" Authen::Krb5::init_context() or die $@; my $krb5conf = Authen::Krb5::Admin::Config->new(); $krb5conf->admin_server($MSAD_HOST); $krb5conf->realm($MSAD_DOMAIN); my $kadm5 = Authen::Krb5::Admin->init_with_password($user, $oldpw, KADM5_CHANGEPW_SERVICE, $krb5conf) or die $@;

    The above always dies whe I try the init_with_password().

    I can change the password using kpasswd:

    $ kpasswd sptester@DOMAIN.NET

    So I am guessing there is something wrong with my syntax.

      Well, what I did, because I needed to talk to two different AD domains, was to create two krb5.conf files.

      Example: Two companies, two domains, call them ZAY and BXC. First configure your krb5.conf file for connecting to the ZAY domain. Once you're able to kinit and net join to that domain, copy the krb5.conf to zay-krb5.conf.

      Next, configure the krb5.conf file to connect to the BXC domain. Once you're able to kinit and net join to that domain, copy the krb5.conf to bxc-krb5.conf.

      Once you know which domain you want to talk to, lets assume zay for this example, do this:

      export KRB5_CONFIG='zay-krb5.conf'; perl <script name>

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://753414]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (6)
As of 2018-01-17 18:53 GMT
Find Nodes?
    Voting Booth?
    How did you see in the new year?

    Results (203 votes). Check out past polls.