1

I've set up Kerberos/LDAP on Ubuntu 11.04 Server according to this guide. My client machines are auto-mounting NFS volumes from the server using krb5. All is good: Users can log in to any of the machines in the office and their home directories auto-mount when they do.

A user has forgotten his password. How do I -- root -- reset it?

It seems to me that the password must be reset both in Kerberos and in LDAP, but I haven't been able to figure out how. Things I've tried:

  1. ldappasswd - User can successfully log in but their home directory does not mount.
  2. ldapsetpasswd - Same.
  3. kinit; passwd - My understanding is that passwd hooks PAM and therefore it may be the one-stop-shop that I'm looking for to get this done. It keeps asking me -- rather cryptically, I might add -- for "Current Kerberos password." None of the usual suspects seem to work.

Cheers!

BrianTheLion
  • 165
  • 2
  • 7

2 Answers2

4

You should not tamper with the ldap password. It's probably {SASL}user@DOMAIN.TLD, which is what it always should be.

You should use kadmin.

You do not need to be root, just have the right privileges with the KDC.

example:

self@notakdc ~ $ kadmin
Authenticating as principal self/admin@DOMAIN.TLD with password.
Password for self/admin@DOMAIN.TLD: 
kadmin:  getprivs
current privileges: GET ADD MODIFY DELETE
kadmin:  cpw someuser
Enter password for principal "someuser@DOMAIN.TLD": 
Re-enter password for principal "someuser@DOMAIN.TLD": 
Password for "someuser@DOMAIN.TLD" changed.
kadmin:  quit
BrianTheLion
  • 165
  • 2
  • 7
84104
  • 12,698
  • 6
  • 43
  • 75
1

Maybe with kpasswd? Also, if you happen to use Heimdal instead of MIT Krb, there is a nifty overlay for OpenLDAP that keeps the LDAP, Samba and Kerberos passwords in sync if you use the Modify Password LDAP exop.

Sven
  • 97,248
  • 13
  • 177
  • 225