Cannot change Kerberos password with passwd

Question

I set up a common kerberos authentication for my domain. After that, it's working fine without any issues. But a user cannot change the password using Linux command. On analysis on this, I got the below error in /var/log/auth.log:

bharathi passwd[3715]: pam_unix(passwd:chauthtok): authentication failure; logname=test uid=1000 euid=0 tty= ruser= rhost= user=test

Response from Kerberos Admin Server.

May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270888, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270907, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] 

Response from kerberos admin server seems to be okay. I suspect the problem might be in pam.d configuration.

common-auth

# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. auth sufficient pam_krb5.so minimum_uid=1000 # here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_lsass.so try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config 

common-account

 # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # account required pam_krb5.so minimum_uid=1000 # here are the per-package modules (the "Primary" block) account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok account [success=1 new_authtok_reqd=done default=ignore] pam_lsass.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config 

common-password

 # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password requisite pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_lsass.so use_authtok try_first_pass # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_gnome_keyring.so # end of pam-auth-update config 

What am I doing wrong here?

Answer 1

Your auth.log contains the following hint:

bharathi passwd[3715]: pam_unix(passwd:chauthtok): authentication failure; logname=test uid=1000 euid=0 tty= ruser= rhost= user=test

Looking at common-password the relevant lines are:

password requisite pam_krb5.so minimum_uid=1000

The Kerberos-PAM-module will only handle users with uid>=1000, which is good to keep local accounts like root working even when the network fails.

The requisite marks this module as always required, so in this case success is stored as the result but the following modules are still executed.

password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

The next module is the failing unix module, which now tries to change the password in /etc/shadow. But since this is a Kerberos user, there is probably no entry in /etc/shadow. Due to the ignore this failure is ignored: the error is still logged but the result for the PAM stack is not changed.

But then the next module follows:

password requisite pam_deny.so

This will finally overwrite the previous result code with deny and thus deny the request to change the password.

If it's sufficient to only change the Kerbers password, change the requisite for Kerberos into [success=3 default=ignore], which would skip the next 3 modules (unix, lsass,deny) on success and thus continue with the pam_permit.so, which forces the stack to finally return success.

If on the other hand your have users with both entries in /etc/shadow and in Kerberos, and you want to keep those two password in sync, it gets a lot more complicated to get right. Something like to following should work:

1. First try to change the Kerberos password.
2. If that succeeds, try to optionally also change the local Unix password in /etc/shadow.

3. Otherwise require the Unix password change to succeed.

   password [success=3 user_unknown=ignore default=ignore] pam_krb5.so minimum_uid=1000 password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=2 default=ignore] pam_lsass.so use_authtok try_first_pass password requisite pam_deny.so password [success=ok default=ignore] pam_unix.so obscure use_authtok use_first_pass sha512 password required pam_permit.so