Notes on Changing Your Kerberos Passwords

Beware of Network Address Translation (NAT)

If your client system is behind a NAT router, you cannot use that system to change your Kerberos password.  The Kerberos password-changing service will only work for systems with a public IP address. If your system's IP address is something like 192.168.x.x then you might be behind such a router. If you do try to change your password from behind a NAT, you may get a error message something a long the lines of "Failed decrypting request."

However,, if you are using the VPN Client to connect to Fermilab then you can go ahead and change your password from your client system since the VPN tunnels through the NAT router and your system gets assigned a second IP address in the Fermilab network address apce.

Changing your Kerberos password from the command line

Linux and Mac OS X users use the kpasswd utility to change their Kerberos password from the command line;

% kpasswd  principal

Changing your Kerberos password from NetIdMgr under Windows

Windows users can change their domain password (which is the FERMI.WIN.FNAL.GOV Kergeros Realm password) using the Change Password button on the Ctrl-Alt-Delete dialog or with the NetIdMgr (Network Identity Manager) utility that is part of MIT's Kerberos for Windows (KfW). Instructions for NetIdMgr can be found here in the FAQ for NetIdMgr.

Windows desktop users can also use the NetIdMgr to change the password for their account in the FNAL.GOV Kerberows Realm by selecting FNAL.GOV instead of FERMI.WIN.FNAL.GOV in the pulldown menu shown in the FAQ above.

For assistance contact
Information compiled and maintained by Computer Security Team ; last modified by FJN  on D.ecember 12, 2007.
(Address comments about page to the Computer Security Team.)