likewise-open prevents local passwords from being changed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
likewise-open (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
pam (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: likewise-open
After installing likewise-open on 8.10 I am unable to change any local passwords.
The latest updates have just been applied - some updates to libpam were included but did not fix the problem.
This appears only to be the case with users with empty passwords.
jakob@ubuntu:~$ passwd
Changing password for jakob.
(current) UNIX password:
^C
passwd: Authentication token manipulation error
passwd: password unchanged
jakob@ubuntu:~$
jakob@ubuntu:~$ sudo su -
[sudo] password for jakob:
root@ubuntu:~# passwd
passwd: password updated successfully
root@ubuntu:~#
root@ubuntu:~# adduser testuser
Adding user `testuser' ...
[output cut]
root@ubuntu:~#
root@ubuntu:~#
root@ubuntu:~#
root@ubuntu:~# passwd testuser
passwd: password updated successfully
root@ubuntu:~#
The passwd commands simply prints out that "password updated successfully" message then exits.
description: | updated |
Changed in likewise-open: | |
status: | Confirmed → New |
Changed in likewise-open (Ubuntu): | |
status: | Confirmed → Triaged |
Confirming...
Once likewise-open is installed (whether a domain is joined or not), running "passwd" to change a local password fails: it never prompts for a new password. (Changing a domain password works.)
It also always returns "passwd: password updated successfully"
I suppose there is something wrong in the PAM stack:
password [success=2 default=ignore] pam_lwidentity.so
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
use_authtok forces pam_unix.so use the password entered for pam_lwidentity. so... but if the user is not in the domain there is no such token. There is little to gain in reusing passwords between pam_lwidentity.so and pam_unix.so, since they aren't targeting the same users...
As a dirty workaround "use_authtok" can be removed from /etc/pam. d/common- password:
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
(that change will be overridden next time pam-auth-update is run)