Cannot change Kerberos password with passwd(1)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpam-krb5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This concerns libpam-krb5 version 4.2-1 in Ubuntu Natty, and is a revisiting of an issue previously addressed in bug 334795.
$ passwd
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
Previous reports I've filed described issues encountered on an Ubuntu installation configured to use Kerberos, LDAP and AFS, a large number of moving parts which tended to confuse the issue at hand. This time, however, I've managed to reproduce the bug on a minimal Ubuntu install, with libpam-krb5, and a local user (uid=1000) with the same name as an existing Kerberos user. The Kerberos and PAM configs are stock; Kerberos server information is being pulled from DNS. LDAP and AFS are completely out of the picture.
I can log into the system as the Kerberos user without issue, but if I attempt to change the password, I get the above error. If I add the "debug" option to the pam_krb5 invocation in /etc/pam.
Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(
Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(
Aug 15 17:46:34 test-linux passwd[935]: pam_krb5(
Aug 15 17:46:34 test-linux passwd[935]: pam_unix(
So, what's the deal with this error?
"Daniel Richard G." <email address hidden> writes:
> I can log into the system as the Kerberos user without issue, but if I d/common- password,
> attempt to change the password, I get the above error. If I add the
> "debug" option to the pam_krb5 invocation in /etc/pam.
> and then try again, I see this in /var/log/auth.log:
> Aug 15 17:46:31 test-linux passwd[935]: pam_krb5( passwd: chauthtok) : pam_sm_chauthtok: entry (0x4000) passwd: chauthtok) : (user dgomez) attempting authentication as <email address hidden> passwd: chauthtok) : pam_sm_chauthtok: exit (success) passwd: chauthtok) : authentication failure; logname=daniel uid=1000 euid=0 tty= ruser= rhost= user=daniel
> Aug 15 17:46:31 test-linux passwd[935]: pam_krb5(
> Aug 15 17:46:34 test-linux passwd[935]: pam_krb5(
> Aug 15 17:46:34 test-linux passwd[935]: pam_unix(
> So, what's the deal with this error?
You have some other PAM module stacked with pam-krb5 that's rejecting
password changes for that user. Probably pam_unix without /etc/shadow
data.
-- www.eyrie. org/~eagle/>
Russ Allbery (<email address hidden>) <http://