How to use kpasswd to change Fermi domain, Services or Kerberos passwords
Intended for:
Users who wish to use the kpasswd command to reset their Fermi domain (Windows log on), Services or Kerberos passwords. This is another option for users who need to reset their password and is done by command line (in a terminal for Mac/Linux or for a Windows command prompt:
Other options for resetting passwords include:
- Password Reset Tool (for Fermi domain and Services accounts only; requires an RSA token, YubiKey, CILogon certificate or Kerberos ticket to access.). This will allow you the convenience of changing your password now and at any point in the future, 24x7, without having to contact the Service Desk.
- Contacting the Service Desk.
- For employees who need to reset their Windows logon (Fermi domain) password, they can press Ctrl + Alt + Delete and click "Change a password..." You must know your password for this option.
Scenario/Use case:
Reset Services, Fermi domain (Windows log on) or Kerberos password.
Before you begin:
To use kpasswd, you must meet the following requirements:
- You must be connected to the lab network (onsite or via VPN) to reset your Fermi domain (Windows log on) and Services passwords. (Kerberos accounts can be reset offsite)
- You must know your old password. If you do not know your old password, you must contact the Service Desk.
- You must follow the password complexity requirements (see bottom of article)
- For Windows computers, you must install MIT Kerberos (Fermilab or personally owned)
Instructions:
When connected to the Fermilab network (onsite or via VPN) on a Fermilab-owned computer or device:
- Open a terminal window:
- Mac users: open terminal
- Windows users: open command prompt
- Linux users: if using GUI, open terminal; if not, type the command
- Pick the appropriate domain and type the associated command:
- Fermi
kpasswd username@FERMI.WIN.FNAL.GOV
- Fermi
-
- Services
kpasswd username@SERVICES.FNAL.GOV
-
- Kerberos
kpasswd username@FNAL.GOV
- Enter your current password. If you do not know your current password, contact the Service Desk.
- Enter your new password following the password requirements (see bottom of article).
When connected to the Fermilab network on a non-FERMI computer:
- Install the krb5.conf file on your computer (Linux and Mac computers only).
- Open a terminal window:
-
- Mac users: open terminal
- Windows users: open command prompt
- Linux users: if using GUI, open terminal; if not, type the command.
- Pick the appropriate domain and type in the associated command:
-
- Fermi
kpasswd username@FERMI.WIN.FNAL.GOV
- Fermi
-
- Services
kpasswd username@SERVICES.FNAL.GOV
-
- Kerberos
kpasswd username@FNAL.GOV
- Enter in your current password. If you do not know your current password, contact the Service Desk.
- Enter your new password following the password requirements (see bottom of article)
When not connected to the Fermilab network or if you are using a non-Fermilab-owned computer:
- Install the Fermilab VPN software.
- Install the krb5.conf file on your computer ( Linux and Mac only).
- Open a terminal window
- Mac users: open terminal
- Windows users: open command prompt
- Linux users: if using GUI, open terminal; if not, type in the command
- Pick the appropriate domain domain and type in the associated command:
-
- Fermi
kpasswd username@FERMI.WIN.FNAL.GOV
-
- Services
kpasswd username@SERVICES.FNAL.GOV
-
- Kerberos
kpasswd username@FNAL.GOV
- Enter your current password. If you do not know your current password, contact the Service Desk.
- Enter your new password following the password requirements (at bottom of article)
Password Requirements:
-
- Minimum of 10 characters
- Three of the four character groups must be used
-
-
- Uppercase
- Lowercase
- Numeric
- Special characters ( !,%,#, and @ are supported )
-
-
- The password cannot contain three or more characters from your username
- You cannot reuse any of your last 8 passwords
- Your password cannot contain your username or real name
- The password has a minimum age of 2 days