[Bug 570944] Re: passwd : gives "Authentication token manipulation error"

[Steve Langasek]

This is a tricky one.  Dropping use_authtok does solve the problem of
pam_unix not prompting for the password, but it also changes the
behavior in the case that you have a password strength checking module
stacked first, such as pam_cracklib.  If pam_cracklib is configured, we
don't want pam_winbind to prompt for a different password after we've
gone to all the trouble of checking the strength of the first one
entered!

This problem affects other combinations of stacked modules as well
(e.g., pam_krb5+pam_unix), and needs to be solved generally.  Currently
the best solution I can offer is for PAM modules to always prompt for
passwords even when they don't need them, in order to ensure correct
usage of use_authtok.  Alternatively, we could fix modules that accept
use_authtok to recognize the lack of a password token as valid and
prompt for it after all, or we could introduce a new common module
option with "use_authtok_if_available" semantics.  In any event, we
don't want to lose the current behavior that modules *must* use the
existing password if provided rather than prompting separately, and any
solution we implement needs to be done systemically; so please don't
change the winbind pam profile without us first having a larger
conversation about how to make this work.

-- 
passwd : gives "Authentication token manipulation error"
https://bugs.launchpad.net/bugs/570944
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.