[Bug 826989] Re: Cannot change Kerberos password with passwd(1)

Mon Aug 15 23:22:51 UTC 2011

"Daniel Richard G." <skunk at iskunk.org> writes:

> The shadow database has a non-hashable password field for the user.
> Kerberos is the only way this user can log in. Why wouldn't the behavior
> of a password change then simply update the Kerberos password, and leave
> the Unix one alone?

Because you don't have PAM configured to do that?  I'd have to see the PAM
configuration to be sure, but generally PAM is configured to require the
various stacked modules to succeed, so if pam_unix fails, it fails the
stack.  You have to ensure that the module is configured so that the ones
you're not interested in using are skipped properly and their exit status
doesn't contribute to the result.

It's hard to be more specific without knowing the behavior that you want,
but there are several examples in the libpam-krb5 documentation that try
to cover some of the common cases.

What's clear from your trace, though, is that this is not a libpam-krb5
problem.  Everything about libpam-krb5 in your trace succeeded; some other
module is failing.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/826989

Title:
  Cannot change Kerberos password with passwd(1)

Status in “libpam-krb5” package in Ubuntu:
  New

Bug description:
  This concerns libpam-krb5 version 4.2-1 in Ubuntu Natty, and is a
  revisiting of an issue previously addressed in bug 334795.

      $ passwd
      Current Kerberos password: 
      passwd: Authentication token manipulation error
      passwd: password unchanged

  Previous reports I've filed described issues encountered on an Ubuntu
  installation configured to use Kerberos, LDAP and AFS, a large number
  of moving parts which tended to confuse the issue at hand. This time,
  however, I've managed to reproduce the bug on a minimal Ubuntu
  install, with libpam-krb5, and a local user (uid=1000) with the same
  name as an existing Kerberos user. The Kerberos and PAM configs are
  stock; Kerberos server information is being pulled from DNS. LDAP and
  AFS are completely out of the picture.

  I can log into the system as the Kerberos user without issue, but if I
  attempt to change the password, I get the above error. If I add the
  "debug" option to the pam_krb5 invocation in /etc/pam.d/common-
  password, and then try again, I see this in /var/log/auth.log:

  Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: entry (0x4000)
  Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): (user dgomez) attempting authentication as daniel at EXAMPLE.COM
  Aug 15 17:46:34 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: exit (success)
  Aug 15 17:46:34 test-linux passwd[935]: pam_unix(passwd:chauthtok): authentication failure; logname=daniel uid=1000 euid=0 tty= ruser= rhost=  user=daniel

  So, what's the deal with this error?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989/+subscriptions