Bug 614803 - pam password changing when using both pam_ldap and pam_krb5 fails
Summary: pam password changing when using both pam_ldap and pam_krb5 fails
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig   
(Show other bugs)
Version: 12
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-15 10:03 UTC by Jasper Siepkes
Modified: 2010-08-04 09:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-04 09:46:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jasper Siepkes 2010-07-15 10:03:49 UTC
Description of problem:
When using a setup with both LDAP and Kerberos V in which both stores have the same user password the PAM setup seems to be wrong. I realize that its not optimal to keep a users password both in LDAP and Kerberos, ideally LDAP should only provide directory services and let Kerberos do all the authentication. Unfortunately there are still a lot of apps which do not support Kerberos and only support simple LDAP binds.

PAM gets setup with the following out of the box:
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok

This does not work, the password only gets changed in Kerberos (because of 'sufficient'). For some reason using required, optional or requisite on pam_ldap.so causes it to fail ? I haven't investegated this in depth but only with 'sufficient' does pam_ldap actually get to the 'Enter new password' line.

This setup seems to work:
password    required      pam_krb5.so use_authtok
password    sufficient    pam_ldap.so

Steps to Reproduce:
1. Install Fedora and indicate you want to use both LDAP and Kerberos for Network authentication.
Actual results:
Logging-in, NSS, etc. all work fine, however password changing does not work correctly. Password only gets changed in one store. The first one listed in PAM.

Expected results:
Password gets changed in both LDAP and Kerberos.

Additional info:

Comment 1 Tomas Mraz 2010-08-04 09:46:42 UTC
Unfortunately your setup is not quite common. In other sites where some users use krb5 and other users use ldap auth your setup would not work. You have to configure system-auth and password-auth files manually.

Note You need to log in before you can comment on or make changes to this bug.