pam_ldap passwd entry when using kerberos

Asked by Brian J. Murrell on 2012-04-02

I have both libpam-ldap and libpam-krb5 installed because I am using Kerberos for authentication here. The implication is that I am not using passwords in ldap.

When I try to change my password I get this in the auth.log:

Apr 1 23:21:30 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_krb5(passwd:chauthtok): user brian changed Kerberos password
Apr 1 23:21:38 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_ldap: ldap_modify_s Insufficient access

The tty where I changed my password shows:

$ passwd
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
LDAP password information update failed: Insufficient access
passwd: Permission denied
passwd: password unchanged

Presumably this is all because PAM is trying to manipulate passwords in LDAP but they just don't/shouldn't exist there.

My /etc/pam.d/common-passwd looks like this:

# here are the per-package modules (the "Primary" block)
password requisite minimum_uid=1000
password [success=2 default=ignore] obscure use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required
# and here are more per-package modules (the "Additional" block)
password optional
password optional
# end of pam-auth-update config

Does the configuration need to allow for whatever failure is causing the "ldap_modify_s Insufficient access" in the case where LDAP is not being used for authentication?

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: libpam-ldap 184-8.4ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-13.56-generic
Uname: Linux 2.6.38-13-generic i686
Architecture: i386
Date: Sun Apr 1 23:37:37 2012
 PATH=(custom, no user)
SourcePackage: libpam-ldap
UpgradeStatus: No upgrade log present (probably fresh install)

Question information

English Edit question
Ubuntu libpam-ldap Edit question
No assignee Edit question
Last query:
Last reply:

This question was originally filed as bug #971248.

James Page (james-page) said : #1

Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We understand the difficulties you are facing, but it is better to raise problems you are having in the support tracker at if you are uncertain if they are bugs. You can also find a valid support at or posting your question in the support forum of your local Ubuntu's community. For help on reporting bugs, see

Launchpad Janitor (janitor) said : #2

This question was expired because it remained in the 'Open' state without activity for the last 15 days.