Hi all, I've got my login authentication working just fine, but am having some trouble getting password changes to sync up properly. Accounts may be local (only) or network (passwords stored in both LDAP and Kerberos, for reasons I won't go into). The LDAP and Kerberos configurations are fine as far as access control and functionality are concerned - I just can't figure out the right way to configure the PAM stack to get password changing synced up properly. I've been trying variations on: password sufficient pam_unix.so md5 shadow password required pam_krb5.so try_first_pass password required pam_ldap.so try_first_pass use_authtok I'm pretty sure the issue is that I don't have the try_first_pass's and use_authtok's in the right spots. I don't really understand exactly how those work in password lines - do they apply to the first (old/expired) password or the new password or both? Do I want the krb5 and ldap parts taking authtok's from the unix part, given that a local user would not have a network password? Anyway, I've tried a bunch of different variations on the above and gotten a variety of results, none completely successful. In the particular example above, I'll log in (with a pw marked expired in shadow via LDAP), get the first "Password:" prompt for the old pw, enter it, and then get logged in with a message that the LDAP pw has been changed, even though I never entered a new pw at all. Obviously, I'm missing out on some kind of fundamental understanding, because I don't understand how that's possible. Any assistance/example is greatly appreciated. -- Todd Pytel _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
