[Bug 826989] Re: Cannot change Kerberos password with passwd(1)

[Russ Allbery]

"Daniel Richard G." <skunk at iskunk.org> writes:

> Okay, here is /etc/pam.d/common-auth:

> auth	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000
> auth	[success=1 default=ignore]	pam_unix.so nullok_secure try_first_pass
> auth	requisite			pam_deny.so
> auth	required			pam_permit.so

> And here is /etc/pam.d/common-password:

> password	requisite			pam_krb5.so minimum_uid=1000
> password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512

Yeah, I suspect it would do what you want if you made this match the
common-auth configuration.

> password	requisite			pam_deny.so
> password	required			pam_permit.so

> (Both of these were produced by pam-auth-update, from stock PAM
> profiles.)

> In the auth stack, pam_krb5 succeeding is enough to allow login. Why
> doesn't the PAM profile for libpam-krb5 likewise specify "[success=end
> default=ignore]" for the password stack? As things are, you get
> inconsistent behavior between the two stacks.

It was the way Steve implemented this originally, and I remember that he
had some rationale for it, but I don't remember what it is.  :/  I'll ask
him separately.  It may be that they should change.

Thanks, that gets me pointed in the right direction.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/826989

Title:
  Cannot change Kerberos password with passwd(1)

Status in “libpam-krb5” package in Ubuntu:
  New

Bug description:
  This concerns libpam-krb5 version 4.2-1 in Ubuntu Natty, and is a
  revisiting of an issue previously addressed in bug 334795.

      $ passwd
      Current Kerberos password: 
      passwd: Authentication token manipulation error
      passwd: password unchanged

  Previous reports I've filed described issues encountered on an Ubuntu
  installation configured to use Kerberos, LDAP and AFS, a large number
  of moving parts which tended to confuse the issue at hand. This time,
  however, I've managed to reproduce the bug on a minimal Ubuntu
  install, with libpam-krb5, and a local user (uid=1000) with the same
  name as an existing Kerberos user. The Kerberos and PAM configs are
  stock; Kerberos server information is being pulled from DNS. LDAP and
  AFS are completely out of the picture.

  I can log into the system as the Kerberos user without issue, but if I
  attempt to change the password, I get the above error. If I add the
  "debug" option to the pam_krb5 invocation in /etc/pam.d/common-
  password, and then try again, I see this in /var/log/auth.log:

  Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: entry (0x4000)
  Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(passwd:chauthtok): (user dgomez) attempting authentication as daniel at EXAMPLE.COM
  Aug 15 17:46:34 test-linux passwd[935]: pam_krb5(passwd:chauthtok): pam_sm_chauthtok: exit (success)
  Aug 15 17:46:34 test-linux passwd[935]: pam_unix(passwd:chauthtok): authentication failure; logname=daniel uid=1000 euid=0 tty= ruser= rhost=  user=daniel

  
  So, what's the deal with this error?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989/+subscriptions