Bug 187303 - Kerberos password change fails when TGT verification is enabled
Summary: Kerberos password change fails when TGT verification is enabled
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2006-03-29 21:02 UTC by Robert Basch
Modified: 2008-02-27 18:50 UTC (History)
1 user (show)

Fixed In Version: 2.1.16-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-27 18:50:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to skip verification for non-TGT credentials (577 bytes, patch)
2006-03-29 21:02 UTC, Robert Basch
no flags Details | Diff

Description Robert Basch 2006-03-29 21:02:55 UTC
Description of problem:

When TGT verification is enabled on a machine with a valid host key in
/etc/krb5.keytab, users are unable to change their Kerberos
password; when they run /usr/bin/passwd, after they enter their current
Kerberos 5 password as prompted, the following fatal error is output:

passwd: Authentication token manipulation error

A "TGT failed verification ..." message is syslogged from pam_krb5 at the time
of failure.

TGT verification is enabled in /etc/krb5.conf:

        pam = {
          validate = true

When TGT verification is disabled, the password can be changed successfully.

Version-Release number of selected component (if applicable):

How reproducible:
Always, when system is configured as described.

Steps to Reproduce:
1. Enable TGT verification in /etc/krb5.conf (as above)
2. Create /etc/krb5.keytab, containing a valid host service key for the machine
3. Make sure Kerberos password-changing is enabled, e.g. in /etc/pam.d/system-auth:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    sufficient    /lib/security/$ISA/pam_krb5afs.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

4. Run /usr/bin/passwd to try to change the Kerberos (i.e. non-local) password
of a user, and enter the valid current Kerberos password for the user.

Actual results:
Fails with the error "Authentication token manipulation error"

Expected results:
When the correct current Kerberos password is entered, it should prompt for the
new Kerberos password.

Additional info:
I believe the problem is that pam_krb5 should not try to verify the
kadmin/changepw credentials obtained in pam_sm_chauthtok(); verification
should only be done for a TGT.  I am attaching a patch which fixes the problem;
it changes v5_get_creds() to only do TGT validation when the service is
KRB5_TGS_NAME (i.e. "krbtgt").

Comment 1 Robert Basch 2006-03-29 21:02:55 UTC
Created attachment 127019 [details]
patch to skip verification for non-TGT credentials

Comment 2 Nalin Dahyabhai 2006-03-29 21:05:27 UTC
Sounds right, looks right.

Comment 3 Nalin Dahyabhai 2008-02-27 18:50:22 UTC
Fixed as bug #230460, closing this one.

Note You need to log in before you can comment on or make changes to this bug.