User profile for user: Red Grant
Red Grant Author
User level: Level 1
0 points

AD Kerberos change password

I'm playing around with AD and Mac clients. I have bound a 10.4.10 Mac to AD. AD is on a SBS 2003 server with ISA 2004. So far so good. Where I encounter problems, is when I try to change the password.

I couldn't change the password from the login window, so I tried it with the kerberos.app. I can't change the password here either and get the follwing error:
Kerberos Password change failed
Requested effective lifetime is negative or too short

Any ideas?

Mac OS X (10.4.10)

Posted on Sep 17, 2007 3:26 AM

Reply
4 replies
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Sep 17, 2007 2:36 PM in response to Red Grant

Hi

Amongst other things Kerberos authentication is time dependent. Tickets to principals are time stamped on issue. By default AD has a time differential of 5 minutes. Check the time between the Server (which uses itself to keep time) and the clients. If they are out then that would explain the error message you would see. You can extend the time difference to 10 minutes. You could also make all the clients use the AD Server as their Network Time Server or you could point the server and the clients to an internet based Time Server.

I don’t think its possible to change a network user’s password that exists in the AD’s OU from the client. You would have to change it on the Server.

Tony
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Sep 18, 2007 9:49 AM in response to Red Grant

Hi

If you have access to the AD admin person you could ask him/her if Digital Signing is enabled. If it is then this could cause potential log on problems. It should be disabled (there are 3 instances I think where it is enabled) if you want to accommodate macs in an AD environment. However this may cause a problem as the AD admin person may have very good reasons for leaving it enabled.

Tony
Reply
User profile for user: Chad Armstrong
Chad Armstrong
User level: Level 2
475 points

Sep 24, 2007 12:52 PM in response to Red Grant

I also encountered the same error. I ended up needing to go into the System preferences and setting the computer's time against the local server's time server, so the time between the client and server would be within 5 minutes of each other. This ended up solving that particular problem.

Still had issues trying to change the password, but it was a different error, at least.

The oddest thing is that the computer did bind with AD, which perhaps shouldn't have done so if the client was too different from the server. Odd....
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

AD Kerberos change password

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up