pam_ldap passwd entry when using kerberos

Asked by Brian J. Murrell on 2012-04-02

I have both libpam-ldap and libpam-krb5 installed because I am using Kerberos for authentication here. The implication is that I am not using passwords in ldap.

When I try to change my password I get this in the auth.log:

Apr 1 23:21:30 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_krb5(passwd:chauthtok): user brian changed Kerberos password
Apr 1 23:21:38 foo passwd[4927]: pam_unix(passwd:chauthtok): user "brian" does not exist in /etc/passwd
Apr 1 23:21:38 foo passwd[4927]: pam_ldap: ldap_modify_s Insufficient access

The tty where I changed my password shows:

$ passwd
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
LDAP password information update failed: Insufficient access
passwd: Permission denied
passwd: password unchanged

Presumably this is all because PAM is trying to manipulate passwords in LDAP but they just don't/shouldn't exist there.

My /etc/pam.d/common-passwd looks like this:

# here are the per-package modules (the "Primary" block)
password requisite pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
# end of pam-auth-update config

Does the configuration need to allow for whatever failure is causing the "ldap_modify_s Insufficient access" in the case where LDAP is not being used for authentication?

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: libpam-ldap 184-8.4ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-13.56-generic
Uname: Linux 2.6.38-13-generic i686
Architecture: i386
Date: Sun Apr 1 23:37:37 2012
 PATH=(custom, no user)
SourcePackage: libpam-ldap
UpgradeStatus: No upgrade log present (probably fresh install)

Question information

English Edit question
Ubuntu libpam-ldap Edit question
No assignee Edit question
Last query:
Last reply:

This question was originally filed as bug #971248.

James Page (james-page) said : #1

Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We understand the difficulties you are facing, but it is better to raise problems you are having in the support tracker at https://answers.launchpad.net/ubuntu if you are uncertain if they are bugs. You can also find a valid support at http://askubuntu.com or posting your question in the support forum of your local Ubuntu's community. For help on reporting bugs, see https://help.ubuntu.com/community/ReportingBugs.

Launchpad Janitor (janitor) said : #2

This question was expired because it remained in the 'Open' state without activity for the last 15 days.