Printable View
Hi guys
I understand that for Kerberos authentication in a 2k3 domain, when a user successfully authenticated himself to the AD, the KDC will issue him a TGT and a session ticket. He will then use them to request for sevice tickets to access server resources.
What I like to know is when the TGT expires, it will go through a ticket renewal process with the KDC to renew the tickets. Will they through another round of authentication during renewal?
Please advise.
Thanks
Hello Domon.
Just check the following Article describing: How the Kerberos Version 5 Authentication Protocol Works.
I'm sure this is what you need to know.
Hi Meinolf
Thanks for the reply.
So, let's say that I have a service running using an service account called "serviceAcc". This account is given "PasswordA" as the password. In a domain controller, we change the service account's password to "PasswordB". And we change the password on the service's properties as well. However , we did not restart the service. From what I understand is that the new password will not take effect until the service is restarted. In this, how will the service be affected if the tickets is to be renewed?
Would like to hear your views on this ...
Thanks
YOu actually need to restart the service once doing the same. Unless you restart it the service will not work fine. This is the only reason that you can configure a long strong password for the user account
Hi Meinolf
I see. As the service is not restarted, it will still use back the old Password "PasswordA". When the tickets are to be renewed, it will use the old password. This will result in a bad password error as the new password "PAsswordB" is set in the Active Directory. Thus, the tickets will not be renewed and results in the service not been able to work. Am I having the correct concept? Please correct me if I'm wrong.
Thanks
Hello,
I really think this post is very useful and clear.
A question came to my mind related to this: what happens if I change my password while i have a valid ticket Does the KDC automatically renew the ticket?
Thanks in advance.
//oops! I wrote it when I had just read the first post of the thread! sorry, guys!
I think that "expect" has a passwd change script called autopasswd that changes user passwords without prompt, which is probably what you're looking for as re "kinit root.admin". The expect script would have to have the expect binary decleration on the top line and would run such like:"expect scriptname username password".Quote:
Originally Posted by bacon