Yes there is -- at least with one assumption assumptions...
Assumption: You used a Windows user account (not a computer account) which
is what the .BAT file does
The only composition rules checked are the windows rules. This makes
sense when you understand Kerberos and that you are defining a kerberos
service principal to the Kerberos realm which is managed in AD. Naturally,
the passwords must meet the rules in the environment in which the
userID/service principal is defined. The entry in keytab files on remote
systems must match that entry.
When you want to change the password, change the password on the user
account first. If it is accepted, you know that the password meets the
rules. Then do the ktpass command. Of course, running ktpass again with the
new password (making sure to use "-mapop set") will fail also with some
message saying the password was not valid which tells you to try another
Here are some tips for managing these passwords (once they are created):
- Always change the password on windows first (so you know if they
meet the windows password rules or not)
- I use the ktpass option to dump the keytab file (-dump arg I
believe), then ftp it to i5/OS in binary mode and overwrite the one in
/qibm/userdata/os400/networkauthentication/keytab/krb5.keytab (note that
path is from memory, could be wrong) rather than using the QSH keytab
- The iNav Mgmt Central synchronize Network Authentication command,
I believe also updates the service principals password in AD.
- I use computer accounts rather than user accounts. It makes more
sense and there is no external password interface like there are for user
accounts. I do not believe the windows password composition rules are
applied to these passwords. For Windows clients participating in the domain,
MS automatically manages these passwords.
- I have a program that automates changing of passwords in i5/OS and
in Windows, and I just schedule it and forget it. Windows does not
automatically manage passwords for service principals representing "foreign"
computers (i.e. non-Windows clients). My company can provide this,
as is, for a one-time enterprise-wide charge.
On Fri, Mar 21, 2008 at 4:22 PM, Joe Pluta <joepluta@xxxxxxxxxxxxxxxxx>
Patrick Botz wrote:
One problem lots of folks tend to run into, is that they type atrivial
password into the NAS config wizard. When they attempt to create theget
Windows service principal (via the ktpass command on windows), they
a "password does not match" composition rules for the windowsThis is a great point, Patrick. Is there an easy way to "test" a
environment. At this point, you have to use a password that meets the
windows rules -- but most importantly, you also have to go back and
change the password in the keytab file on i5/OS to match whatever new
password you provided on the ktpass command in windows.
password for composition rules? ktpass is not exactly the most
intuitive tool, at least for me.
VP, Security Consulting
Group8 Security, Inc.
Office 507 285 9048
Cell 507 250 5644