Fresh Debian 12 for lab (VM). I installed: slapd, phpldapadmin, nslcd, nscd and dependencies. I have two local accounts: root and user1. Also I have only user1 POSIX-account on local LDAP server. I can change password for user1 by passwd. The password changes both on the LDAP server and in shadow-file. I can login as both root and user1 via ssh.
I cannot change password for root by passwd, because right after I invoke the program:
passwd: Authentication token manipulation error passwd: password unchanged There is no prompt for password (current or new).
How can I change the local root password if there is no root account on the LDAP server?
Is this the correct result of passwd or some configuration error?
Here's my config:
nslcd.conf:
uid nslcd gid nslcd uri ldap://127.0.0.1/ base dc=debian,dc=valhalla,dc=**,dc=** tls_cacertfile /etc/ssl/certs/ca-certificates.crt nscd.conf:
debug-level 0 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts yes positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432 enable-cache netgroup yes positive-time-to-live netgroup 28800 negative-time-to-live netgroup 20 suggested-size netgroup 211 check-files netgroup yes persistent netgroup yes shared netgroup yes max-db-size netgroup 33554432 nsswitch.conf:
passwd: files ldap group: files ldap shadow: files ldap gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis common-account:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 common-auth:
auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass auth requisite pam_deny.so auth required pam_permit.so common-password:
password required pam_unix.so obscure yescrypt password sufficient pam_ldap.so minimum_uid=1000 try_first_pass password requisite pam_deny.so password required pam_permit.so common-session:
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 session optional pam_systemd.so 