Red Hat Bugzilla – Bug 459524
pam_ldap has some problems chasing referrals properly on expired passwords.
Last modified: 2010-04-01 13:24:08 EDT
Description of problem:
When changing an expired password while using referrals, if the server actually changes the password while sending referrals, pam_ldap assumes that the password is changed and overwrites it. However, the referral to the master is not yet chased, so binding to the master fails, thereby causing the password change to ultimately fail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up two fedora-DS servers, one a master, and one a slave.
2. Set up a referral from the slave to the master
3. Set up an expired user account.
4. Try to ssh to a server using the slave, and reset the password when requested
5. Master fails the update with "invalid credentials".
The problem appears to be in the _update_authtok routine. Commenting out the final block of code starting on line 3117:
/* if (rc == LDAP_SUCCESS)
session->info->userpw = strdup (new_password);
if (session->info->userpw == NULL)
rc = PAM_BUF_ERR;
Appears to fix the problem. I get "can't update shadowLastChange" after that, but it appears to be a different problem, and I can at least log in.
The fix I made is probably insecure. Please work with me to find the correct fix. I actually have support with redhat through my company, I will pass this bug report number on to our rep. thanks.
More information: I have reason to believe that this problem will manifest on a large network where the master is in another datacenter than the slave and the client. It would make sense that the modification would be finished and the modification made on the client before it even gets a chance to connect to the master. Therefore this sounds like a race condition to me.
My patch is likely wrong - what probably *should* happen is that the password should not be tossed until *all* referrals are chased. If I get some time I'll try to figure out how to do that.
This bug can be closed. I have tracked it down per support request 1851828 to be the fact that the server is not sending referrals on a password change. Working with support to find a way around that.
Sorry for the delay here. Closing due to fixes in this area which should have gone out in 5.2. Please reopen if you're still seeing this happen.