Comment 3 for bug 826989

Revision history for this message
Russ Allbery (rra-debian) wrote : Re: [Bug 826989] Re: Cannot change Kerberos password with passwd(1)

"Daniel Richard G." <email address hidden> writes:

> The shadow database has a non-hashable password field for the user.
> Kerberos is the only way this user can log in. Why wouldn't the behavior
> of a password change then simply update the Kerberos password, and leave
> the Unix one alone?

Because you don't have PAM configured to do that? I'd have to see the PAM
configuration to be sure, but generally PAM is configured to require the
various stacked modules to succeed, so if pam_unix fails, it fails the
stack. You have to ensure that the module is configured so that the ones
you're not interested in using are skipped properly and their exit status
doesn't contribute to the result.

It's hard to be more specific without knowing the behavior that you want,
but there are several examples in the libpam-krb5 documentation that try
to cover some of the common cases.

What's clear from your trace, though, is that this is not a libpam-krb5
problem. Everything about libpam-krb5 in your trace succeeded; some other
module is failing.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>