This site requires JavaScript to be enabled
An updated version of this article is available

How to change your Kerberos password for the UNIX/Linux/Mac domain


2.0 - Updated on 2021-02-23 by Carlos Salazar (Inactive)

1.0 - Authored on 2012-11-26 by Fang Wang

Intended for: Users who need to change their Kerberos password for the UNIX/Linux/Mac domain

Scenario/Use Case:

This article provides instructions on how to change your Kerberos password for the UNIX/Linux/Mac domain.





To change your Kerberos password for the FNAL.GOV domain, open a terminal window and run the "kpasswd username@FNAL.GOV" command at the command prompt. You can also use SSH to log on to a remote computer and run the command there.  If at the lab make sure you connect to the FGZ network first. If you are on a personal machine you will have to register your machine at the lab using this link or come to the Service Desk to have it registered for you.

          % kpasswd  username@FNAL.GOV

Password for username@FNAL.GOV: <--- type your current password here 

New password: <--- type your new password here 

New password (again): <--- type your new password here for confirmation 

Kerberos password changed.



  1. Your password will not be displayed while you type it. If you type your current password correctly, then hitting the Enter key will bring up the new password prompt.
  2. If you want to change your UNIX/Linux/Mac Kerberos password using a Windows computer, you must type "kpasswd username@FNAL.GOV" rather than "kpasswd". Otherwise, you will change your Windows username@FERMI.WIN.FNAL.GOV password instead. If your Windows domain password is accidentally locked out with this command, it will be automatically unlocked after 30 minutes.


Kerberos password requirements


1. If you use Network Identity Manager (NetIdMgr) and have configured your FNAL.GOV identity there, you can use NetIdMgr to change your password.

2. If your password expires before you change it, you can still change it as long as you remember what it is. If you don't remember it, please call the Service Desk at (630) 840-2345 to have it reset.

3. If you use a Mac computer, you will need to wait up to 20 minutes after changing your password (regardless of changing it via a Mac or a Linux computer) before you can be sure that doing a kinit on the Mac will work.  This time period is needed for the databases on the Slave KDCs to be updated from the Master KDC.

4. If you use a Linux computer, you can run kinit immediately after changing your password.  Because of the way MIT kinit works, it treats any error from a Slave KDC as a possible communications problem and retries the operation to the Master KDC.  Thus if you use your new password with a Slave KDC and get an incorrect password error, kinit will retry the operation to the Master KDC which is guaranteed to have the new and correct password. 



See Also: