Bug 234593 – pam_krb5 does not update the last password change date field in LDAP

Bug 234593 - pam_krb5 does not update the last password change date field in LDAP

Summary:	pam_krb5 does not update the last password change date field in LDAP

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	nss_ldap (Show other bugs)
Sub Component:
Version:	6
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-03-30 09:32 EDT by Andrew Zabolotny
Modified:	2008-02-25 17:59 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-02-25 17:59:45 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
my system-auth file just in case (1.03 KB, application/octet-stream) 2007-03-30 09:32 EDT, Andrew Zabolotny	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrew Zabolotny 2007-03-30 09:32:22 EDT

Description of problem:


Version-Release number of selected component (if applicable):
pam_krb5-2.2.11-1

How reproducible:
Always

Steps to Reproduce:
1. Run authconfig-tui and set up the "Use LDAP" checkbox under "User
Information", check the "Use Kerberos" checkbox under "Authentication". Then
press "Next" and enter the address of the LDAP server. Press "Next" again and
enter the address of the Kerberos server.
2. Set expiration time for some existing user (or a new one) to some small value
(so that it expires): passwd -x 1 user
3. Try logging in as that user. You should get a message that your password has
expired and you must change it and then relogin. Change the password.
4. Try logging in again.
  
Actual results:
You will get again the same message. No matter how many times you change your
password, it keeps saying it is expired.

Expected results:
Should let the user log in after the password is changed.

Additional info:
The "getent shadow|grep user" command will display the shadow line for the
respective user. After you change the password with 'passwd', the third field
does not change (which is the last password change date).

I'm not sure if it's a bug in pam_krb5 or in the implementation of the
putspent() glibc function which should update the respective field in LDAP.

Comment 1 Andrew Zabolotny 2007-03-30 09:32:23 EDT

Created attachment 151278 [details]
my system-auth file just in case

Comment 2 Nalin Dahyabhai 2007-03-30 10:21:52 EDT

I'm not really sure how pam_krb5 has anything to do with your user's password if
the information is stored in the directory server.  Did you mean to report this
against the nss_ldap package, which contains the pam_ldap module?

Assuming you're using pam_ldap, can you verify that binding to the directory
server as the user allows you to update the "shadowLastChange" attribute in the
user's entry?

Comment 3 Orion Poplawski 2008-02-25 17:59:45 EST

I'm closing this.  It's old and I ran into the same problem.  Fedora Directory
Server by default does not allow the user to modify shadowLastChange.  Changing
this is FDS allows it to work.

Note You need to log in before you can comment on or make changes to this bug.