/etc/services defines the kpasswd port to be 761. The kerberos source code
has it as:
krb5-1.2.1/src/include/krb5/stock/osconf.h:#define DEFAULT_KPASSWD_PORT 464
If you don't have kpasswd_server specified in /etc/krb5.conf (the default
install doesn't), the kerberos code then uses the hard-coded value rather
than the value specified in /etc/services. See
/etc/services also specifies the kpasswd port as tcp:
kpasswd 761/tcp kpwd # Kerberos "passwd"
It should be udp: see
kadmind will listen for password changes on the hard-coded 464 port unless your
kdc.conf contains the undocumented 'kpasswd_port' entry.
The entry in /etc/services corresponds to a never-officially-allocated port
number. This is messy. Reassigning to the "setup" component, which includes
the /etc/services file. I'm going to have to go through it looking for other
This is already fixed in rawhide.
Fixed in the current release, via general cleanups in /etc/services, and a patch
David Wragg sent to krbdev.