Ubuntu
libpam-ldap package

pam_ldap passwd entry when using kerberos

Bug #971248 reported by Brian J. Murrell

This bug report was converted into a question: question #192405: pam_ldap passwd entry when using kerberos.

6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpam-ldap (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I have both libpam-ldap and libpam-krb5 installed because I am using Kerberos for authentication here. The implication is that I am not using passwords in ldap.

When I try to change my password I get this in the auth.log:

Apr 1 23:21:30 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_krb5(passwd:chauthtok): user brian changed Kerberos password
Apr 1 23:21:38 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_ldap: ldap_modify_s Insufficient access

The tty where I changed my password shows:

$ passwd
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
LDAP password information update failed: Insufficient access
passwd: Permission denied
passwd: password unchanged

Presumably this is all because PAM is trying to manipulate passwords in LDAP but they just don't/shouldn't exist there.

My /etc/pam.d/common-passwd looks like this:

# here are the per-package modules (the "Primary" block)
password requisite pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
# end of pam-auth-update config

Does the configuration need to allow for whatever failure is causing the "ldap_modify_s Insufficient access" in the case where LDAP is not being used for authentication?

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: libpam-ldap 184-8.4ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-13.56-generic 2.6.38.8
Uname: Linux 2.6.38-13-generic i686
Architecture: i386
Date: Sun Apr 1 23:37:37 2012
ProcEnviron:
 LANGUAGE=en_CA:en
 PATH=(custom, no user)
 LANG=en_CA
 LC_MESSAGES=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: libpam-ldap
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Brian J. Murrell (brian-interlinx) wrote :
Revision history for this message
James Page (james-page) wrote :

Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We understand the difficulties you are facing, but it is better to raise problems you are having in the support tracker at https://answers.launchpad.net/ubuntu if you are uncertain if they are bugs. You can also find a valid support at http://askubuntu.com or posting your question in the support forum of your local Ubuntu's community. For help on reporting bugs, see https://help.ubuntu.com/community/ReportingBugs.

Changed in libpam-ldap (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.