[Bug 826989] [NEW] Cannot change Kerberos password with passwd(1)

[Russ Allbery]

"Daniel Richard G." <skunk at iskunk.org> writes:

> I can log into the system as the Kerberos user without issue, but if I
> attempt to change the password, I get the above error. If I add the
> "debug" option to the pam_krb5 invocation in /etc/pam.d/common-password,
> and then try again, I see this in /var/log/auth.log:

> Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: entry (0x4000)
> Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): (user dgomez) attempting authentication as daniel at EXAMPLE.COM
> Aug 15 17:46:34 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: exit (success)
> Aug 15 17:46:34 test-linux passwd[935]: pam_unix(passwd:chauthtok): authentication failure; logname=daniel uid=1000 euid=0 tty= ruser= rhost=  user=daniel

> So, what's the deal with this error?

You have some other PAM module stacked with pam-krb5 that's rejecting
password changes for that user.  Probably pam_unix without /etc/shadow
data.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/826989

Title:
  Cannot change Kerberos password with passwd(1)

Status in “libpam-krb5” package in Ubuntu:
  New

Bug description:
  This concerns libpam-krb5 version 4.2-1 in Ubuntu Natty, and is a
  revisiting of an issue previously addressed in bug 334795.

      $ passwd
      Current Kerberos password: 
      passwd: Authentication token manipulation error
      passwd: password unchanged

  Previous reports I've filed described issues encountered on an Ubuntu
  installation configured to use Kerberos, LDAP and AFS, a large number
  of moving parts which tended to confuse the issue at hand. This time,
  however, I've managed to reproduce the bug on a minimal Ubuntu
  install, with libpam-krb5, and a local user (uid=1000) with the same
  name as an existing Kerberos user. The Kerberos and PAM configs are
  stock; Kerberos server information is being pulled from DNS. LDAP and
  AFS are completely out of the picture.

  I can log into the system as the Kerberos user without issue, but if I
  attempt to change the password, I get the above error. If I add the
  "debug" option to the pam_krb5 invocation in /etc/pam.d/common-
  password, and then try again, I see this in /var/log/auth.log:

  Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: entry (0x4000)
  Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): (user dgomez) attempting authentication as daniel at EXAMPLE.COM
  Aug 15 17:46:34 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: exit (success)
  Aug 15 17:46:34 test-linux passwd[935]: pam_unix(passwd:chauthtok): authentication failure; logname=daniel uid=1000 euid=0 tty= ruser= rhost=  user=daniel

  
  So, what's the deal with this error?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989/+subscriptions