[Bug 971248] [NEW] pam_ldap passwd entry when using kerberos
Brian J. Murrell
brian at interlinx.bc.ca
Mon Apr 2 03:53:50 UTC 2012
Public bug reported:
I have both libpam-ldap and libpam-krb5 installed because I am using
Kerberos for authentication here. The implication is that I am not
using passwords in ldap.
When I try to change my password I get this in the auth.log:
Apr 1 23:21:30 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_krb5(passwd:chauthtok): user brian changed Kerberos password
Apr 1 23:21:38 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_ldap: ldap_modify_s Insufficient access
The tty where I changed my password shows:
$ passwd
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
LDAP password information update failed: Insufficient access
passwd: Permission denied
passwd: password unchanged
Presumably this is all because PAM is trying to manipulate passwords in
LDAP but they just don't/shouldn't exist there.
My /etc/pam.d/common-passwd looks like this:
# here are the per-package modules (the "Primary" block)
password requisite pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
# end of pam-auth-update config
Does the configuration need to allow for whatever failure is causing the
"ldap_modify_s Insufficient access" in the case where LDAP is not being
used for authentication?
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: libpam-ldap 184-8.4ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-13.56-generic 2.6.38.8
Uname: Linux 2.6.38-13-generic i686
Architecture: i386
Date: Sun Apr 1 23:37:37 2012
ProcEnviron:
LANGUAGE=en_CA:en
PATH=(custom, no user)
LANG=en_CA
LC_MESSAGES=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: libpam-ldap
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: libpam-ldap (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 natty
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libpam-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/971248
Title:
pam_ldap passwd entry when using kerberos
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/971248/+subscriptions
More information about the Ubuntu-server-bugs
mailing list