Description of problem:

When TGT verification is enabled on a machine with a valid host key in
/etc/krb5.keytab, users are unable to change their Kerberos
password; when they run /usr/bin/passwd, after they enter their current
Kerberos 5 password as prompted, the following fatal error is output:

passwd: Authentication token manipulation error

A "TGT failed verification ..." message is syslogged from pam_krb5 at the time
of failure.

TGT verification is enabled in /etc/krb5.conf:

[appdefaults]
        pam = {
          validate = true
          ...
        }

When TGT verification is disabled, the password can be changed successfully.


Version-Release number of selected component (if applicable):
2.1.8-1

How reproducible:
Always, when system is configured as described.


Steps to Reproduce:
1. Enable TGT verification in /etc/krb5.conf (as above)
2. Create /etc/krb5.keytab, containing a valid host service key for the machine
3. Make sure Kerberos password-changing is enabled, e.g. in /etc/pam.d/system-auth:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_krb5afs.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

4. Run /usr/bin/passwd to try to change the Kerberos (i.e. non-local) password
of a user, and enter the valid current Kerberos password for the user.


Actual results:
Fails with the error "Authentication token manipulation error"

Expected results:
When the correct current Kerberos password is entered, it should prompt for the
new Kerberos password.


Additional info:
I believe the problem is that pam_krb5 should not try to verify the
kadmin/changepw credentials obtained in pam_sm_chauthtok(); verification
should only be done for a TGT.  I am attaching a patch which fixes the problem;
it changes v5_get_creds() to only do TGT validation when the service is
KRB5_TGS_NAME (i.e. "krbtgt").