Red Hat Bugzilla – Bug 155791
userpasswd does not seem to update kerberos v5
Last modified: 2007-11-30 17:11:04 EST
Description of problem:
Userpasswd doesn't update kerberos 5 passwords through the applicable pam token.
However, vanilla passwd seems to have no trouble doing it. I'm filing it as
normal because it hampers the usefulness of the holy-grail kerberos single sign
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Change passwd with userpasswd. Try to kinit with new passwd.
2. Watch it fail.
3. Change passwd with passwd (after re-setting them both to the same).
4. Kinit again with new passwd, and viola!
Standard PAM configuration with kerberos selected and properly configured in
authentation system prefrence control pannel type thing.
Yes, my kerberos server is set up properly. No, I haven't muddled with my pam
There's potential that this is a symtom of Bug 1685 but, I have no way to verify
this for sure.
Hello Jason, are you sure that bug 1685 has anything to do with this usermode
problem? Could you please write here a correct reference let me have a look at it?
I meant Bug 16815.
Like I said, there's only potential, as they could be asking for a fix to work
with yppaswd ( or for pam_unix to do yppasswd changes ).
Sorry for the confusion.
This report targets the FC3 or FC4 products, which have now been EOL'd.
Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?
I'm sorry about the late response.
If you can still reproduce the problem, can you attach the relevant PAM config
The default PAM configuration is currently
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
which means that successfull change of the local password terminates the
password change operation and pam_krb5 is never used.
Sorry, it was a long time ago, and I took that system apart by now. I'd have to
set up a krb5 server and a fc again. Though, that does explain a bit, as I had a
local user set up AND was using kerberos for authentication (set through the
appropriate gui interface at setup time). I think passwd changed both the local
and krb password by default, whereas userpasswd would do just the local
(shouldn't they work the same?).
They both use the same configuration, so they certainly should work the same,
and IIRC they did when I was testing it.