Changing Kerberos passwords

The kpasswd command changes the password for the specified Kerberos principal using the password change service. You can also use the Change Kerberos Password (CHGKRBPWD) CL command to change Kerberos passwords.

kpasswd command

You must supply the current password for the principal as well as the new password. The password server will apply any applicable password policy rules to the new password before changing the password. The password server is configured during the installation and configuration of the Kerberos server. See the documentation that corresponds with that system.
Note: IBM® i PASE does not support a password server. To change a password for a principal stored on the Kerberos server, you must enter the PASE environment (call QP2TERM) and issue the kpasswd command.

During network authentication service configuration, you can specify the name of the password server. If one has not been specified during configuration, you can add a password server.

You may not change the password for a ticket-granting service principal (krbtgt/realm) using the kpasswd command.

To change the password for the default principal:
  • On a Qshell command line, enter kpasswd
  • On a command line, enter call qsys/qkrbkpsswd
To change the password for another principal:
  • On a Qshell command line, enter kpasswd jday@myco.com

To change the password for another principal in PASE for i:

Using a character-based interface

  1. In a character-based interface, enter call QP2TERM. This command opens an interactive shell environment that allows you to work with PASE for i applications.
  2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin. This command points to the Kerberos scripts that are necessary to run the executable files.
  3. At the QSH prompt, enter kadmin -p admin/admin. Press Enter.
  4. Sign in with your administrator's username and password.
  5. Enter kpasswd jday@myco.com. You will be prompted to change the password for this principal.

Using a command line

On an command line, enter call qsys/qkrbkpsswd parm ('jday@myco.com')

For more details on the use of this command, see the passwd usage notes.

Change Kerberos Password (CHGKRBPWD) command

On the IBM i command line, you can also use the Change Kerberos Password (CHGKRBPWD) command to change Kerberos passwords. For instance, for the Kerberos principal jday in the realm myco.com, you can use the following command to change the password from myoldpwd to mynewpwd:

CHGKRBPWD PRINCIPAL('jday' myco.com) CURPWD('myoldpwd') NEWPWD('mynewpwd') VFYPWD('mynewpwd')