I set up a common kerberos authentication for my domain. After that, it's working fine without any issues. But a user cannot change the password using Linux command. On analysis on this, I got the below error in /var/log/auth.log:

bharathi passwd[3715]: pam_unix(passwd:chauthtok): authentication failure; logname=test uid=1000 euid=0 tty= ruser= rhost= user=test

Response from Kerberos Admin Server.

May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH: test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM, Additional pre-authentication required
May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) ISSUE: authtime 1368270888, etypes {rep=18 tkt=18 ses=18}, test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM
May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH: test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM, Additional pre-authentication required
May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) ISSUE: authtime 1368270907, etypes {rep=18 tkt=18 ses=18}, test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM

Response from kerberos admin server seems to be okay. I suspect the problem might be in pam.d configuration.


# /etc/pam.d/common-auth - authentication settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

auth    sufficient  pam_krb5.so minimum_uid=1000

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]  pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]  pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]  pam_lsass.so try_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config


# /etc/pam.d/common-account - authorization settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

account required            pam_krb5.so minimum_uid=1000

# here are the per-package modules (the "Primary" block)
account [success=3 new_authtok_reqd=done default=ignore]    pam_unix.so 
account [success=ok new_authtok_reqd=ok default=ignore]     pam_lsass.so unknown_ok
account [success=1 new_authtok_reqd=done default=ignore]    pam_lsass.so 
# here's the fallback if no module succeeds
account requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config


# /etc/pam.d/common-password - password-related modules common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password    requisite           pam_krb5.so minimum_uid=1000
password    [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512
password    [success=1 default=ignore]  pam_lsass.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
password    optional    pam_gnome_keyring.so 
# end of pam-auth-update config

What am I doing wrong here?

  • 5,943
  • 1
  • 44
  • 53
  • 181
  • 2
  • 2
  • 9

1 Answers1


Your auth.log contains the following hint:

bharathi passwd[3715]: pam_unix(passwd:chauthtok): authentication failure; logname=test uid=1000 euid=0 tty= ruser= rhost= user=test

Looking at common-password the relevant lines are:

password requisite pam_krb5.so minimum_uid=1000

The Kerberos-PAM-module will only handle users with uid>=1000, which is good to keep local accounts like root working even when the network fails.

The requisite marks this module as always required, so in this case success is stored as the result but the following modules are still executed.

password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

The next module is the failing unix module, which now tries to change the password in /etc/shadow. But since this is a Kerberos user, there is probably no entry in /etc/shadow. Due to the ignore this failure is ignored: the error is still logged but the result for the PAM stack is not changed.

But then the next module follows:

password requisite pam_deny.so

This will finally overwrite the previous result code with deny and thus deny the request to change the password.

If it's sufficient to only change the Kerbers password, change the requisite for Kerberos into [success=3 default=ignore], which would skip the next 3 modules (unix, lsass,deny) on success and thus continue with the pam_permit.so, which forces the stack to finally return success.

If on the other hand your have users with both entries in /etc/shadow and in Kerberos, and you want to keep those two password in sync, it gets a lot more complicated to get right. Something like to following should work:

  1. First try to change the Kerberos password.
  2. If that succeeds, try to optionally also change the local Unix password in /etc/shadow.
  3. Otherwise require the Unix password change to succeed.

    password [success=3 user_unknown=ignore default=ignore] pam_krb5.so minimum_uid=1000
    password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
    password [success=2 default=ignore] pam_lsass.so use_authtok try_first_pass
    password requisite           pam_deny.so
    password [success=ok default=ignore] pam_unix.so obscure use_authtok use_first_pass sha512
    password required            pam_permit.so
  • 5,943
  • 1
  • 44
  • 53
  • 96
  • 7