You must install KPA and the load it on the eDirectory server where the password change occurs.
To start the KPA, enter kpa -l.
To stop the KPA, enter kpa -u.
The messages logged by the Password Agent are displayed when the Misc tag is enabled in ndstrace. The messages are also logged in the log file that is configured for the eDirectory server.
IMPORTANT:The Kerberos Password Agent is not loaded automatically when the machine or eDirectory is restarted. You must load it manually.
The encryption types and salt type used by the Kerberos Password Agent to generate the Kerberos keys from the Universal Password are based on the following:
If the principal has Kerberos keys, the encryption and salt types used for generating the existing keys are used to generate the new keys from the Universal Password.
If the principal does not have the Kerberos password set, the default encryption salt types configured for the realm are used for the key generation.
If the default key types are not configured for the realm, the key types used are DES3-HMAC-SHAI:NORMAL and DES-CBC-CRC:NORMAL.
The following are the supported encryption and salt types:
DES-CBC-CRC: DES cbc mode with CRC-32
DES-CBC-MD4: DES cbc mode with RSA-MD4
DES-CBC-MD5: DES cbc mode with RSA-MD5
DES3-CBC-SHA1-KD: triple DES cbc mode with HMAC/sha1
AES128-CTS-HMAC-SHA1-96
AES256-CTS-HMAC-SHA1-96
RC4-HMAC
normal: default for Kerberos Version 5
v4: the only type used by Kerberos Version 4, no salt
norealm: same as the default, without using realm information
onlyrealm: uses only realm information as the salt
special: only used in very special cases; not fully supported