kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM doesn't work?

[Michael B Allen <miallen@ioplex.com>]

Hi,

If I use ktpass I can successfully change a user's password in AD:

  $ ./kpasswd alice@EXAMPLE.COM
  alice@EXAMPLE.COM's Password: 
  New password for alice@EXAMPLE.COM: 
  Verify password - New password for alice@EXAMPLE.COM: 
  Success

If I kinit as a 'Domain Admin' and use the ccache I can also successfully
change a user's password:

  $ kinit -f adm@EXAMPLE.COM
  Password for adm@EXAMPLE.COM:
  $ ./kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM
  New password for alice@EXAMPLE.COM: 
  Verify password - New password for alice@EXAMPLE.COM: 
  Success

If I kinit as the user who's password is being changed and use the ccache
I get 'Malformed':

  $ kinit -f alice@EXAMPLE.COM
  Password for alice@EXAMPLE.COM: 
  $ ./kpasswd -c /tmp/krb5cc_1000 alice@EXAMPLE.COM
  New password for alice@EXAMPLE.COM: 
  Verify password - New password for alice@EXAMPLE.COM: 
  Malformed
  ^^^^^^^^^

On the wire the ccache'd way uses a TGS-REP to get the kadmin/changepw
ticket where the regular way uss an AS-REQ to get the kadmin/changepw
ticket.

Can someone explain as to why the third version does not work?

Do I have to do an AS-REQ for kadmin/changepw if I'm not an admin?

I have a web app that allows user's to set their password using a
credential established during a previous authentication phase but
it doesn't work - I get 'Malformed' and it looks just like the third
scenario above.

Any ideas would be appreciated.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/