Change Kerberos Password (CHGKRBPWD)
| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Change Kerberos Password (CHGKRBPWD) command changes the password for the specified Kerberos principal.
Restrictions:
- If the principal is governed by a policy that specifies rules, like length or number of characters required in the new password, the new password must conform to the policy.
- You may not change the password for a ticket-granting service principal using the CHGKRBPWD command.
The Network Authentication Service Commands and APIs support job environments for most EBCDIC CCSIDs. CCSID 290 and 5026 are not supported because of the variance of lower-case letters a to z.
| Top |
Parameters
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| PRINCIPAL | Principal | Element list | Required, Positional 1 |
| Element 1: Name | Character value | ||
| Element 2: Realm | Character value, *DFT | ||
| CURPWD | Current password | Character value | Required, Positional 2 |
| NEWPWD | New password | Character value | Required, Positional 3 |
| VFYPWD | Verify password | Character value | Required, Positional 4 |
| ADRLST | Contains address list | *YES, *NO | Optional |
| Top |
Principal (PRINCIPAL)
Specifies the principal name of a user or service principal on a host name in a Kerberos network. The principal and key pairs in the keytab file allow services running on the host to be authenticated by a Key Distribution Center (KDC). All the principals are added to the Kerberos server which maintains a database of all users and services within a Kerberos realm.
This is a required parameter.
Element 1: Name
Specifies the principal name or service principal on a specified host name.
- character-value
- Specify the user name of the Kerberos principal.
The Kerberos principal has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
/ - delimit name components.
Element 2: Realm
Specifies the realm in which the Kerberos user is registered and in which initial authentication took place.
- *DFT
- The default realm for the local system will be used. Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. If the default realm has not been set, it is obtained from the default_realm entry in the [libdefaults] section of the Kerberos configuration file.
- character-value
- Specify the name of the Kerberos realm where the user specified for the first element of this parameter is registered.
The name has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
@ - start realm.
| Top |
Current password (CURPWD)
Specifies the current password for the specified principal.
This is a required parameter.
- character-value
- Specify the password value.
| Top |
New password (NEWPWD)
Specifies the new password for the specified principal.
This is a required parameter.
- character-value
- Specify the new password value.
| Top |
Verify password (VFYPWD)
Specifies the new password again.
If the value specified for this parameter is different from the value specified for the New password (NEWPWD) parameter, the command fails and the password is not changed.
This is a required parameter.
- character-value
- Specify the new password value again.
| Top |
Contains address list (ADRLST)
Specifies whether the initial ticket used by this command will contain or a list of client addresses a local host address. When an initial ticket contains an address list, it can be used only from one of the addresses in the address list.
- *YES
- Ticket contains an address list.
- *NO
- Ticket contains just local host address.
| Top |
Examples
Example 1: Changing Password for a Kerberos Principal
CHGKRBPWD PRINCIPAL('jday' myco.com) CURPWD('myoldpwd')
NEWPWD('mynewpwd') VFYPWD('mynewpwd')
This command will change the password for the Kerberos principal with user name jday in realm myco.com from 'myoldpwd' to 'mynewpwd'.
| Top |
Error messages
*ESCAPE Messages
- CPFC60B
- The initial credentials can not be obtained.
- CPFC60E
- Password is not correct for principal.
- CPFC610
- No default credentials cache found.
- CPFC615
- The password can not be read.
- CPFC616
- Principal &1 not valid.
- CPFC617
- The password change request was canceled.
- CPFC618
- Password change request failed.
| Top |