Description of problem: When TGT verification is enabled on a machine with a valid host key in /etc/krb5.keytab, users are unable to change their Kerberos password; when they run /usr/bin/passwd, after they enter their current Kerberos 5 password as prompted, the following fatal error is output: passwd: Authentication token manipulation error A "TGT failed verification ..." message is syslogged from pam_krb5 at the time of failure. TGT verification is enabled in /etc/krb5.conf: [appdefaults] pam = { validate = true ... } When TGT verification is disabled, the password can be changed successfully. Version-Release number of selected component (if applicable): 2.1.8-1 How reproducible: Always, when system is configured as described. Steps to Reproduce: 1. Enable TGT verification in /etc/krb5.conf (as above) 2. Create /etc/krb5.keytab, containing a valid host service key for the machine 3. Make sure Kerberos password-changing is enabled, e.g. in /etc/pam.d/system-auth: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5afs.so use_authtok password required /lib/security/$ISA/pam_deny.so 4. Run /usr/bin/passwd to try to change the Kerberos (i.e. non-local) password of a user, and enter the valid current Kerberos password for the user. Actual results: Fails with the error "Authentication token manipulation error" Expected results: When the correct current Kerberos password is entered, it should prompt for the new Kerberos password. Additional info: I believe the problem is that pam_krb5 should not try to verify the kadmin/changepw credentials obtained in pam_sm_chauthtok(); verification should only be done for a TGT. I am attaching a patch which fixes the problem; it changes v5_get_creds() to only do TGT validation when the service is KRB5_TGS_NAME (i.e. "krbtgt").
Created attachment 127019 [details] patch to skip verification for non-TGT credentials
Sounds right, looks right.
Fixed as bug #230460, closing this one.