Description of problem: I'm rolling out FC2 across my department and I've discovered that users cannot change their passwords. Identically configured Red Hat 9 machines have no troubles. I have tested both i386 and x86_64 FC2 machines; I have only i386-based RH9 machines. /etc/pam.d/system-auth has: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=Mathematics password sufficient /lib/security/$ISA/pam_krb5.so debug=true use_authtok password required /lib/security/$ISA/pam_deny.so When running the "passwd" command, FC2 machines get: > passwd Changing password for user tibbs. passwd: Authentication token manipulation error Logging into a RH9 machine gives: > passwd Changing password for user tibbs. Current Kerberos 5 password: Version-Release number of selected component (if applicable): pam_krb5-2.0.10-1 I will attach two logs, one from an FC2 machine and one from an RH9 machine, containing all of the debug output of the two password invocations above. The relevant errors from the FC2 log: krb5_get_init_creds_password (kadmin/changepw.EDU) returned 5 (Input/output error) Got 5 (Input/output error) acquiring credentials for kadmin/changepw. pam_chauthtok returning 7 (Authentication failure) I did a tcpdump and found that both machines communicate with the KDC, neither comminucate with the kadmin server, and the working machine exchanges one additional packet. I suppose next I'll try out 2.1.1 from current rawhide. Please let me know if there's any additional information I can provide or if there's anything I can test. This seems similar to bug 117772, but my machines don't have problems authenticating users; they just can't change passwords.
Created attachment 103108 [details] Log from working RH9 machine
Created attachment 103109 [details] Log from FC2 machine failing to allow a password change
Just tried 2.1.1; it fails in the same manner. Also note that the kerberos server is running FC2 (krb-server-1.3.3-7).
pam_krb5 is misinterpreting the 'use_authtok' keyword to also mean 'use_first_pass'.
I pulled a copy of pam_krb5 from CVS and noticed you made some very recent changes, so I hacked together an RPM and installed it on a test machine. Things seem to work much better now: > passwd Changing password for user tibbs. Kerberos 5 Password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. It's odd that it's asking for "UNIX password", but I'll take it. There is still an instance of krb5_get_init_creds_password(kadmin/changepw.EDU) returned 5 (Input/output error) in the logs; I'll attach a complete log from a successful password change.
Created attachment 103149 [details] Log from successful password change
Wow, and I hadn't made a release yet. Thanks! The input/output error is typically going to be caused by an empty password being set either by the application or a previous module, though I don't know how one would have been set in your configuration. The pam_cracklib module is prompting for the new password. You can use the "type=" argument to change "UNIX" to whatever you like (or just "type=" to remove it).