Change local password as root after configuring for MS-AD Kerberos+LDAP

Question

I have followed this excellent post to configure Kerberos + LDAP:
http://koo.fi/blog/2013/01/06/ubuntu-12-04-active-directory-authentication/

However, there are some local users used for services.
When I try to change the password for one of those, as root, it asks for Current Kerberos password then exits:

passwd service1
Current Kerberos password:  (I hit enter)
Current Kerberos password:  (I hit enter)
passwd: Authentication token manipulation error
passwd: password unchanged

If I switch to the local user and do passwd, it asks once for Kerberos then falls back to local:
$ passwd
Current Kerberos password:
Changing password for service1.
(current) UNIX password:

My configuration is similar to the site I posted above, and everything works fine, I just can't change the local users' passwords as root.

Thanks in advance for any help.

3.8.0-29-generic #42~precise1-Ubuntu

Update 1 2013-01-31:

# cat /etc/pam.d/common-auth
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so


# cat /etc/pam.d/common-password
password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

Answer 1

In your /etc/pam.d/common-password , change the minimum_uid in your first line to something bigger than 1000, example:

password        [success=3 default=ignore]      pam_krb5.so minimum_uid=10000

That worked for me. This is what you should see in /var/log/auth.log after changing the password for that user as root:

Dec 26 12:34:36 3.8.0-29-generic passwd[22667]: pam_unix(passwd:chauthtok): password changed for service1

Answer 2

@Ameer's answer about editing common-password is correct. But: when you edit the uid limits of PAM in general, don't forget to edit all the affected PAM files! If you search for krb5 in /etc/pam.d, you should find all the relevant files:

root@server:/etc/pam.d# grep -R krb5 .
./common-auth:auth  [success=2 default=ignore]  pam_krb5.so minimum_uid=10000
./common-session-noninteractive:session optional            pam_krb5.so minimum_uid=10000
./common-session:session    optional            pam_krb5.so minimum_uid=10000
./common-account:account    required            pam_krb5.so minimum_uid=10000
./common-password:password  [success=2 default=ignore]  pam_krb5.so minimum_uid=10000

If, for example, you've only edited common-auth, but not common-password, authentication works with local accounts, but passwd still asks for the current kerberos password! (Which is exactly the mistake that led me here.)

Answer 3

An indirect way to do it. Use mkpasswd to generate encrypted password:

mkpasswd --method=sha-512

Then use usermod to change the user's password:

usermod -p '<encrypted_password_from_mkpasswd>' <username>

Answer 4

No need to install anything extra or modify pam settings to change a local password.

sudo usermod -p "$(echo "password" | openssl passwd -stdin -6)" user

The -6 means SHA512 encryption, for some older linux systems, you could need to replace it with a -1 or a -5.

Reference: https://www.mkssoftware.com/docs/man1/openssl_passwd.1.asp

Answer 5

if your users are using kerberos password you can remove kerberos password management from pam, because the kerberos password can be changed with command kpasswd