Bug 130950

Summary: Cannot change kerberos passwords under FC2, works with RH9
Product: [Fedora] Fedora Reporter: Jason Tibbitts <tibbs>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 2CC: redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.1.2-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-08-31 10:49:49 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Log from working RH9 machine
none
Log from FC2 machine failing to allow a password change
none
Log from successful password change none

Description Jason Tibbitts 2004-08-25 19:12:44 EDT
Description of problem:
I'm rolling out FC2 across my department and I've discovered that
users cannot change their passwords.  Identically configured Red Hat 9
machines have no troubles.  I have tested both i386 and x86_64 FC2
machines; I have only i386-based RH9 machines.

/etc/pam.d/system-auth has:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
type=Mathematics
password    sufficient    /lib/security/$ISA/pam_krb5.so debug=true
use_authtok
password    required      /lib/security/$ISA/pam_deny.so

When running the "passwd" command, FC2 machines get:

> passwd
Changing password for user tibbs.
passwd: Authentication token manipulation error

Logging into a RH9 machine gives:

> passwd
Changing password for user tibbs.
Current Kerberos 5 password:

Version-Release number of selected component (if applicable):
pam_krb5-2.0.10-1

I will attach two logs, one from an FC2 machine and one from an RH9
machine, containing all of the debug output of the two password
invocations above.  The relevant errors from the FC2 log:

krb5_get_init_creds_password (kadmin/changepw@MATH.UH.EDU) returned 5
(Input/output error)
Got 5 (Input/output error) acquiring credentials for kadmin/changepw.
pam_chauthtok returning 7 (Authentication failure)

I did a tcpdump and found that both machines communicate with the KDC,
neither comminucate with the kadmin server, and the working machine
exchanges one additional packet.

I suppose next I'll try out 2.1.1 from current rawhide.  Please let me
know if there's any additional information I can provide or if there's
anything I can test.  This seems similar to bug 117772, but my
machines don't have problems authenticating users; they just can't
change passwords.
Comment 1 Jason Tibbitts 2004-08-25 19:13:31 EDT
Created attachment 103108 [details]
Log from working RH9 machine
Comment 2 Jason Tibbitts 2004-08-25 19:14:06 EDT
Created attachment 103109 [details]
Log from FC2 machine failing to allow a password change
Comment 3 Jason Tibbitts 2004-08-25 19:35:12 EDT
Just tried 2.1.1; it fails in the same manner.

Also note that the kerberos server is running FC2 (krb-server-1.3.3-7).
Comment 4 Nalin Dahyabhai 2004-08-26 19:00:19 EDT
pam_krb5 is misinterpreting the 'use_authtok' keyword to also mean
'use_first_pass'.
Comment 5 Jason Tibbitts 2004-08-26 20:40:15 EDT
I pulled a copy of pam_krb5 from CVS and noticed you made some very
recent changes, so I hacked together an RPM and installed it on a test
machine.

Things seem to work much better now:

> passwd
Changing password for user tibbs.
Kerberos 5 Password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

It's odd that it's asking for "UNIX password", but I'll take it. 
There is still an instance of

krb5_get_init_creds_password(kadmin/changepw@MATH.UH.EDU) returned 5
(Input/output error)

in the logs; I'll attach a complete log from a successful password change.


Comment 6 Jason Tibbitts 2004-08-26 20:41:05 EDT
Created attachment 103149 [details]
Log from successful password change
Comment 7 Nalin Dahyabhai 2004-08-27 14:17:29 EDT
Wow, and I hadn't made a release yet.  Thanks!  The input/output error
is typically going to be caused by an empty password being set either
by the application or a previous module, though I don't know how one
would have been set in your configuration.

The pam_cracklib module is prompting for the new password.  You can
use the "type=" argument to change "UNIX" to whatever you like (or
just "type=" to remove it).