Sorry for the repost, I just realized I forgot "Subject": I am trying to user kerberos to authenticate *NIX client accounts against a Windows 2003 Active directory. The kerberos packages that are installed on the Red Hat system are: krb5-libs-1.3.4-33 krb5-devel-1.3.4-33 pam_krb5-2.1.8-1 krb5-auth-dialog-0.2-1 krb5-workstation-1.3.4-33 I have created a keytab file using the MS Windows utility ktpass. When I log on to the Red Hat system everything works as expected and I can see the following in the /var/log/messages file: sshd: pam_krb5[3554]: krb5_get_init_creds_password(krbtgt/AD.NET@xxxxxx) returned 0 (Success) pam_krb5[3554]: validating credentials pam_krb5[3554]: TGT verified using key for 'host/vmlnx01.ad.net@xxxxxx' pam_krb5[3554]: TGT verified using key for 'host/vmlnx01.ad.net@xxxxxx' pam_krb5[3554]: got result 0 (Success) pam_krb5[3554]: authentication succeeds for 'aduser' (aduser@xxxxxx) pam_krb5[3554]: authentication succeeds for 'aduser' (aduser@xxxxxx) pam_krb5[3554]: pam_authenticate returning 0 (Success) At this point everything looks fine and it appears the keytab file was used successfully. Now if I try to issue the `passwd' command for the user who just successfully logged on to the system, I see the following in /var/log/messages: passwd: pam_krb5[3589]: authenticating 'aduser@xxxxxx' to 'kadmin/changepw@xxxxxx' passwd: pam_krb5[3589]: krb5_get_init_creds_password(kadmin/changepw@xxxxxx) returned 5 (Input/out put error) passwd: pam_krb5[3589]: Got 5 (Input/output error) acquiring credentials for kadmin/changepw. passwd: pam_krb5[3589]: authenticating 'aduser@xxxxxx' to 'kadmin/changepw@xxxxxx' passwd: pam_krb5[3589]: krb5_get_init_creds_password(kadmin/changepw@xxxxxx) returned 0 (Success) passwd: pam_krb5[3589]: validating credentials passwd: pam_krb5[3589]: TGT failed verification using key for 'host/vmlnx01.ad.net@xxxxxx' passwd: pam_krb5[3589]: TGT failed verification using key for 'host/vmlnx01.ad.net@xxxxxx' passwd: pam_krb5[3589]: Got 0 (Success) acquiring credentials for kadmin/changepw. pam_krb5[3589]: pam_chauthtok returning 7 (Authentication failure) Why is krb5_get_init_creds_password returning 5? If I turn off validation (validate = false) in /etc/krb5.conf the user is able to change their password. The contents of /etc/pam.d/system-auth look like the following: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=500 use_first_pass debug auth required /lib/security/$ISA/pam_deny.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so debug account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=500 use_authok debug password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so debug Does anyone know why I can successfully authenticate and log in, but can not change user's password? Your help is appreciated. Thanks. -- _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
