Hello. I'm trying to make users authenticate to Linux box through Active Directory. Everything works just fine, except changing passwords. I'm able to change password from Linux box, but if I type password that doesn't meet the policy on AD server I get this in logs: Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: configured realm 'MY.DOMAIN' Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flags: Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no ignore_afs Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: user_check Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: use_authtok Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no krb4_convert Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: warn Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ticket lifetime: 0 Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: renewable lifetime: 0 Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: banner: Kerberos 5 Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ccache dir: /tmp Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: keytab: /etc/krb5.keytab Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: password changed for lech.lachowicz@xxxxxxxxx Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: obtaining credentials using new password for 'lech.lachowicz@xxxxxxxxx' Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: authenticating 'lech.lachowicz@xxxxxxxxx' to 'krbtgt/MY.DOMAIN@xxxxxxxxx' Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: krb5_get_init_creds_password(krbtgt/MY.DOMAIN@xxxxxxxxx) returned -1765328360 (Preauthentication failed) Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: pam_chauthtok returning 0 (Success) And on user terminal: [lech.lachowicz@sandbender lech.lachowicz]$ passwd Changing password for user lech.lachowicz. Kerberos 5 Password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [lech.lachowicz@sandbender lech.lachowicz]$ Password is still the same. So my question is: what can I do to make pam_krb5 report an error if the password policy isn't meet. My pam.d/passwd: password required pam_cracklib.so retry=3 minlen=6 dcredit=1 ucredit= password sufficient pam_unix.so nullok use_first_pass md5 shadow debug password required pam_krb5.so use_authtok debug -- Pozdrawiam, Lech Lachowicz _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
