RHEL4 and Active Directory Integration (pam_krb5) -- cannot change password
- From: sruckh@xxxxxxxxxxx ("Scott Ruckh")
- Date: Thu, 24 Aug 2006 13:11:32 -0700 (MST)
I am trying to user kerberos to authenticate *NIX client accounts against
a Windows 2003 Active directory.
The kerberos packages that are installed on the Red Hat system are:
krb5-libs-1.3.4-33
krb5-devel-1.3.4-33
pam_krb5-2.1.8-1
krb5-auth-dialog-0.2-1
krb5-workstation-1.3.4-33
I have created a keytab file using the MS Windows utility ktpass.
When I log on to the Red Hat system everything works as expected and I can
see the following in the /var/log/messages file:
sshd: pam_krb5[3554]: krb5_get_init_creds_password(krbtgt/AD.NET@xxxxxx)
returned 0 (Success)
pam_krb5[3554]: validating credentials
pam_krb5[3554]: TGT verified using key for 'host/vmlnx01.ad.net@xxxxxx'
pam_krb5[3554]: TGT verified using key for 'host/vmlnx01.ad.net@xxxxxx'
pam_krb5[3554]: got result 0 (Success)
pam_krb5[3554]: authentication succeeds for 'aduser' (aduser@xxxxxx)
pam_krb5[3554]: authentication succeeds for 'aduser' (aduser@xxxxxx)
pam_krb5[3554]: pam_authenticate returning 0 (Success)
At this point everything looks fine and it appears the keytab file was
used successfully.
Now if I try to issue the `passwd' command for the user who just
successfully logged on to the system, I see the following in
/var/log/messages:
passwd: pam_krb5[3589]: authenticating 'aduser@xxxxxx' to
'kadmin/changepw@xxxxxx'
passwd: pam_krb5[3589]:
krb5_get_init_creds_password(kadmin/changepw@xxxxxx) returned 5 (Input/out
put error)
passwd: pam_krb5[3589]: Got 5 (Input/output error) acquiring credentials
for kadmin/changepw.
passwd: pam_krb5[3589]: authenticating 'aduser@xxxxxx' to
'kadmin/changepw@xxxxxx'
passwd: pam_krb5[3589]:
krb5_get_init_creds_password(kadmin/changepw@xxxxxx) returned 0 (Success)
passwd: pam_krb5[3589]: validating credentials
passwd: pam_krb5[3589]: TGT failed verification using key for
'host/vmlnx01.ad.net@xxxxxx'
passwd: pam_krb5[3589]: TGT failed verification using key for
'host/vmlnx01.ad.net@xxxxxx'
passwd: pam_krb5[3589]: Got 0 (Success) acquiring credentials for
kadmin/changepw.
pam_krb5[3589]: pam_chauthtok returning 7 (Authentication failure)
Why is krb5_get_init_creds_password returning 5?
If I turn off validation (validate = false) in /etc/krb5.conf the user is
able to change their password.
The contents of /etc/pam.d/system-auth look like the following:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=500
use_first_pass debug
auth required /lib/security/$ISA/pam_deny.so
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so debug
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=500
use_authok debug
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_first_pass md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so debug
Does anyone know why I can successfully authenticate and log in, but can
not change user's password?
Your help is appreciated.
Thanks.
--
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- Prev by Date: Kerberos login code example
- Next by Date: Re: Question about gss-client
- Previous by thread: Kerberos login code example
- Next by thread: Re: Question about gss-client
- Index(es):
Relevant Pages
|
