Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 187303 - Kerberos password change fails when TGT verification is enabled
Kerberos password change fails when TGT verification is enabled
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-03-29 16:02 EST by Robert Basch
Modified: 2008-02-27 13:50 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.1.16-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-27 13:50:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to skip verification for non-TGT credentials (577 bytes, patch)
2006-03-29 16:02 EST, Robert Basch
no flags Details | Diff

  None (edit)
Description Robert Basch 2006-03-29 16:02:55 EST
Description of problem:

When TGT verification is enabled on a machine with a valid host key in
/etc/krb5.keytab, users are unable to change their Kerberos
password; when they run /usr/bin/passwd, after they enter their current
Kerberos 5 password as prompted, the following fatal error is output:

passwd: Authentication token manipulation error

A "TGT failed verification ..." message is syslogged from pam_krb5 at the time
of failure.

TGT verification is enabled in /etc/krb5.conf:

        pam = {
          validate = true

When TGT verification is disabled, the password can be changed successfully.

Version-Release number of selected component (if applicable):

How reproducible:
Always, when system is configured as described.

Steps to Reproduce:
1. Enable TGT verification in /etc/krb5.conf (as above)
2. Create /etc/krb5.keytab, containing a valid host service key for the machine
3. Make sure Kerberos password-changing is enabled, e.g. in /etc/pam.d/system-auth:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    sufficient    /lib/security/$ISA/pam_krb5afs.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

4. Run /usr/bin/passwd to try to change the Kerberos (i.e. non-local) password
of a user, and enter the valid current Kerberos password for the user.

Actual results:
Fails with the error "Authentication token manipulation error"

Expected results:
When the correct current Kerberos password is entered, it should prompt for the
new Kerberos password.

Additional info:
I believe the problem is that pam_krb5 should not try to verify the
kadmin/changepw credentials obtained in pam_sm_chauthtok(); verification
should only be done for a TGT.  I am attaching a patch which fixes the problem;
it changes v5_get_creds() to only do TGT validation when the service is
KRB5_TGS_NAME (i.e. "krbtgt").
Comment 1 Robert Basch 2006-03-29 16:02:55 EST
Created attachment 127019 [details]
patch to skip verification for non-TGT credentials
Comment 2 Nalin Dahyabhai 2006-03-29 16:05:27 EST
Sounds right, looks right.
Comment 3 Nalin Dahyabhai 2008-02-27 13:50:22 EST
Fixed as bug #230460, closing this one.

Note You need to log in before you can comment on or make changes to this bug.