3

How do you forcefully change a user's Kerberos password in Fedora? The only docs I could find mention kpasswd <username>, but this requires the user's current password, which the admin probably won't know. I found some BSD docs that use k5admin -l, but this doesn't appear to be available in Fedora.

Cerin
  • 3,497
  • 17
  • 57
  • 72

1 Answers1

2

You want kadmin. This is part of the krb5-workstation package in Fedora and is installed at/usr/bin/kadmin.

You can use kadmin interactively or with a preset query.

$ kadmin
Authenticating as principal self/admin@DOMAIN.TLD with password.
Password for self/admin@DOMAIN.TLD: 
kadmin:  cpw
usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] principal

kadmin -q "change_password -pw <newpassword> <username>"

Note: If using the MIT libraries, which I believe Fedora does, you will have to set the admin_server in the [realms] section of /etc/krb5.conf. (Your master server must also be running kadmind (the kadmin service).

[realms]
DOMAIN.TLD = {
    admin_server = krb5kdc-master.domain.tld
}
mattdm
  • 6,550
  • 1
  • 25
  • 48
84104
  • 12,698
  • 6
  • 43
  • 75
  • Thanks. I had to modify /var/kerberos/krb5kdc/kadm5.acl to give my user full admin rights, and then restart the krb5kdc and kadmin services, but otherwise kadmin change_password worked. – Cerin Jul 18 '12 at 18:46
  • I had to make an slight modification to make work the non interactive version of the command: kadmin -l cpw -p newpassword username – alfredocambera Mar 24 '16 at 15:28
  • @alfredocambera Sounds like you are using `heimdal` rather than `(mit-)krb5`. – 84104 Mar 24 '16 at 17:20
  • @84104 indeed. I'm pretty new to kerberos and it took me a while to find the correct command. Nevertheless this helped me a lot. Is mit's version better than heimdal's? I'd appreciate your opinion on this. – alfredocambera Mar 24 '16 at 21:45
  • I edited in the current location on my Fedora 27 system. I have a CentOS 7 box handy and it's in the same location; what CentOS has it at `/usr/kerberos/sbin/kadmin`? – mattdm Oct 12 '17 at 17:26
  • @mattdm CentOS 5, which was current at the time of the answer. – 84104 Oct 12 '17 at 18:57
  • Oh wow. For some reason this got bumped and showed up on my list of recent Fedora questions and I missed the date. In any case, the edit is correct for current Fedora. :) – mattdm Oct 12 '17 at 19:26