[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users
Philipp Kaluza
pk+debs at yomu.de
Mon Aug 10 22:45:37 UTC 2009
in your setup, the shadow information is interpreted by pam_unix (not pam_ldap), but, assuming you have no local user, still comes from LDAP (via nss_ldap). Please check if your user has the auxiliary objectclass shadowAccount configured, and check the associated attributes (specifically shadowLastChange, shadowMax and shadowExpire).
If I had to venture a guess I would say that changing the password via kerberos works correctly, but then libnss-ldap does not have enough permissions to update shadowLastChange, which fails silently, but causes pam_unix to prompt for another password update. Depending on your exact Kerberos configuration, if your kerberos passwords are stored in the LDAP server anyhow, you might want to consider pam_ldap for password updates. If you do, make sure TLS or SSL works correctly between the user-facing hosts and the LDAP server.
--
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list