Package: libpam-krb5
Version: 4.3-1
Severity: important
User: [email protected]                 
Usertags: debian-edu

I discovered this in Debian Edu/Squeeze.  After installation, the passwd
tool is not able to change the password of a LDAP user with
authentication using Kerberos.

I see messages like this in auth.log when trying to change the password:

  Jan 18 11:08:18 tjener passwd[8124]: pam_unix(passwd:chauthtok): user
  "pere" does not exist in /etc/passwd

The user in question have uid = 1000.  The generated
/etc/pam.d/common-password file got this content (removed comments for
clarity):

  password requisite                  pam_krb5.so minimum_uid=1000
  password [success=1 default=ignore] pam_unix.so obscure use_authtok 
try_first_pass sha512
  password requisite                  pam_deny.so
  password required                   pam_permit.so
  password optional                   pam_gnome_keyring.so

Changing the 'requisite' for pam_krb5 to 'sufficient' make password
changing work.  Is password changing supposed to be working in the
default setup in Squeeze?  What should the commno-password file look
like in a correct setup?

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-krb5 depends on:
ii  krb5-config         2.2                  Configuration files for Kerberos V
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l

libpam-krb5 recommends no packages.

libpam-krb5 suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to