How to change your Kerberos password for the UNIX/Linux/Mac domain
Intended for:
Users who need to change their Kerberos password for the UNIX/Linux/Mac domain.
Scenario/Use Case:
This article provides instructions on how to change your Kerberos password for the UNIX/Linux/Mac domain.
Notes:
- If you forgot your Kerberos password and want to reset it, please call the Service Desk at (630) 840 2345 to have it reset.
- If you ONLY use a Windows computer and NEVER log on to a Linux, Mac or UNIX computer, you don't need a Kerberos password for the FNAL.GOV domain.
- It may take up to 20 minutes for the new password to become valid on all systems (see details below).
Instructions:
To change your Kerberos password for the FNAL.GOV domain, open a terminal window and run the "kpasswd username@FNAL.GOV" command at the command prompt. You can also use SSH to log on to a remote computer and run the command there. If at the lab make sure you connect to the FGZ network first. If you are on a personal machine you will have to register your machine at the lab using this link or come to the Service Desk to have it registered for you.
% kpasswd username@FNAL.GOV
Password for username@FNAL.GOV: <--- type your current password here
New password: <--- type your new password here
New password (again): <--- type your new password here for confirmation
Kerberos password changed.
Notes:
- Your password will not be displayed while you type it. If you type your current password correctly, then hitting the Enter key will bring up the new password prompt.
- If you want to change your UNIX/Linux/Mac Kerberos password using a Windows computer, you must type "kpasswd username@FNAL.GOV" rather than "kpasswd". Otherwise, you will change your Windows username@FERMI.WIN.FNAL.GOV password instead. If your Windows domain password is accidentally locked out with this command, it will be automatically unlocked after 30 minutes.
Kerberos password requirements
- Minimum of 10 characters.
- Two of the four character groups must be used. These groups include:
- English uppercase characters (A through Z).
- English lowercase characters (a through z).
- Base 10 digits (0 through 9).
- Non-alphabetic characters (For example: ! @ # $ ^ & * % - . , ).
- This password expires every 400 days.
- You cannot repeat your last 8 passwords.
Notes:
1. If you use Network Identity Manager (NetIdMgr) and have configured your FNAL.GOV identity there, you can use NetIdMgr to change your password.
2. If your password expires before you change it, you can still change it as long as you remember what it is. If you don't remember it, please call the Service Desk at (630) 840-2345 to have it reset.
3. If you use a Mac computer, you will need to wait up to 20 minutes after changing your password (regardless of changing it via a Mac or a Linux computer) before you can be sure that doing a kinit on the Mac will work. This time period is needed for the databases on the Slave KDCs to be updated from the Master KDC.
4. If you use a Linux computer, you can run kinit immediately after changing your password. Because of the way MIT kinit works, it treats any error from a Slave KDC as a possible communications problem and retries the operation to the Master KDC. Thus if you use your new password with a Slave KDC and get an incorrect password error, kinit will retry the operation to the Master KDC which is guaranteed to have the new and correct password.
See Also:
- How to change your FERMI domain (Windows login) password
- How to change or reset your Fermilab passwords