Debian Bug report logs - #656309
libpam-krb5: Unable to change password in the default setup

version graph

Package: libpam-krb5; Maintainer for libpam-krb5 is Russ Allbery <rra@debian.org>; Source for libpam-krb5 is src:libpam-krb5.

Reported by: Petter Reinholdtsen <pere@hungry.com>

Date: Wed, 18 Jan 2012 10:36:19 UTC

Severity: important

Found in version libpam-krb5/4.3-1

Fixed in version 4.4-3

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Russ Allbery <rra@debian.org>:
Bug#656309; Package libpam-krb5. (Wed, 18 Jan 2012 10:36:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
New Bug report received and forwarded. Copy sent to Russ Allbery <rra@debian.org>. (Wed, 18 Jan 2012 10:36:25 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: submit@bugs.debian.org
Subject: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 11:34:22 +0100
Package: libpam-krb5
Version: 4.3-1
Severity: important
User: debian-edu@lists.debian.org                 
Usertags: debian-edu

I discovered this in Debian Edu/Squeeze.  After installation, the passwd
tool is not able to change the password of a LDAP user with
authentication using Kerberos.

I see messages like this in auth.log when trying to change the password:

  Jan 18 11:08:18 tjener passwd[8124]: pam_unix(passwd:chauthtok): user
  "pere" does not exist in /etc/passwd

The user in question have uid = 1000.  The generated
/etc/pam.d/common-password file got this content (removed comments for
clarity):

  password requisite                  pam_krb5.so minimum_uid=1000
  password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
  password requisite                  pam_deny.so
  password required                   pam_permit.so
  password optional                   pam_gnome_keyring.so

Changing the 'requisite' for pam_krb5 to 'sufficient' make password
changing work.  Is password changing supposed to be working in the
default setup in Squeeze?  What should the commno-password file look
like in a correct setup?

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-krb5 depends on:
ii  krb5-config         2.2                  Configuration files for Kerberos V
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l

libpam-krb5 recommends no packages.

libpam-krb5 suggests no packages.

-- no debconf information




Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Wed, 18 Jan 2012 17:15:10 GMT) Full text and rfc822 format available.

Notification sent to Petter Reinholdtsen <pere@hungry.com>:
Bug acknowledged by developer. (Wed, 18 Jan 2012 17:15:11 GMT) Full text and rfc822 format available.

Message #10 received at 656309-done@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Petter Reinholdtsen <pere@hungry.com>
Cc: 656309-done@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 09:14:18 -0800
Version: 4.4-3

Petter Reinholdtsen <pere@hungry.com> writes:

> I discovered this in Debian Edu/Squeeze.  After installation, the passwd
> tool is not able to change the password of a LDAP user with
> authentication using Kerberos.

> I see messages like this in auth.log when trying to change the password:

>   Jan 18 11:08:18 tjener passwd[8124]: pam_unix(passwd:chauthtok): user
>   "pere" does not exist in /etc/passwd

> The user in question have uid = 1000.  The generated
> /etc/pam.d/common-password file got this content (removed comments for
> clarity):

>   password requisite                  pam_krb5.so minimum_uid=1000
>   password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
>   password requisite                  pam_deny.so
>   password required                   pam_permit.so
>   password optional                   pam_gnome_keyring.so

> Changing the 'requisite' for pam_krb5 to 'sufficient' make password
> changing work.  Is password changing supposed to be working in the
> default setup in Squeeze?  What should the commno-password file look
> like in a correct setup?

Hi Petter,

This was fixed in 4.4-3:

  * Change the pam-auth-update configuration to skip remaining password
    stack by default modules if the Kerberos password change succeeds.
    This is more useful behavior for the common case of Kerberos accounts
    not having local passwords.  See README.Debian.gz for information
    about how to synchronize Kerberos and local passwords.  (LP: #826989)

The original configuration was a misguided attempt at making synchronizing
local and Kerberos passwords easier, but that's an uncommon case and it
broke the common case.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Russ Allbery <rra@debian.org>:
Bug#656309; Package libpam-krb5. (Wed, 18 Jan 2012 17:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Russ Allbery <rra@debian.org>. (Wed, 18 Jan 2012 17:36:03 GMT) Full text and rfc822 format available.

Message #15 received at 656309@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 656309@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 18:33:00 +0100
[Russ Allbery]
> Hi Petter,

Hi.

> This was fixed in 4.4-3:

Ah, right.  Can you get a fix for this into Squeeze?

I am happy to report that the Squeeze based Debian Edu version will
have Kerberos with LDAP backend set up by default.  But at the moment
it is hard to figure out how to change the password. :)
-- 
Happy hacking
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#656309; Package libpam-krb5. (Wed, 18 Jan 2012 17:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. (Wed, 18 Jan 2012 17:42:03 GMT) Full text and rfc822 format available.

Message #20 received at 656309@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Petter Reinholdtsen <pere@hungry.com>
Cc: 656309@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 09:38:46 -0800
Petter Reinholdtsen <pere@hungry.com> writes:

> Ah, right.  Can you get a fix for this into Squeeze?

> I am happy to report that the Squeeze based Debian Edu version will have
> Kerberos with LDAP backend set up by default.  But at the moment it is
> hard to figure out how to change the password. :)

Hm.  I'm a little nervous about doing this as a stable update because it's
the sort of thing that one doesn't change in stable.  The change would
break people who were relying on the default to synchronize passwords.  I
added a NEWS.Debian entry for it when I changed it in unstable, and
changes in behavior at the level of a NEWS.Debian entry seem like they
wouldn't meet the criteria for a stable update.

Would a backport be sufficient?  I should be able to backport the package
without too much difficulty, although I have to unwind the multiarch
changes.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Russ Allbery <rra@debian.org>:
Bug#656309; Package libpam-krb5. (Wed, 18 Jan 2012 17:48:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Russ Allbery <rra@debian.org>. (Wed, 18 Jan 2012 17:48:11 GMT) Full text and rfc822 format available.

Message #25 received at 656309@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 656309@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 18:44:49 +0100
[Russ Allbery]
> Hm.  I'm a little nervous about doing this as a stable update
> because it's the sort of thing that one doesn't change in stable.
> The change would break people who were relying on the default to
> synchronize passwords.  I added a NEWS.Debian entry for it when I
> changed it in unstable, and changes in behavior at the level of a
> NEWS.Debian entry seem like they wouldn't meet the criteria for a
> stable update.

I can understand your reluctance, but believe the current default is
simply broken for most users of the package. :/

> Would a backport be sufficient?  I should be able to backport the
> package without too much difficulty, although I have to unwind the
> multiarch changes.

A backport would not really help us.  Then we would have to maintain
it in our repository.  It is probably less work for us to divert the
pam-configs file and only have to maintain one small file to activate
the change.  I'll test this approach if an update to Squeeze is out of
the question.
-- 
Happy hacking
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#656309; Package libpam-krb5. (Wed, 18 Jan 2012 18:10:41 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. (Wed, 18 Jan 2012 18:10:42 GMT) Full text and rfc822 format available.

Message #30 received at 656309@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Petter Reinholdtsen <pere@hungry.com>
Cc: 656309@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 09:49:29 -0800
Petter Reinholdtsen <pere@hungry.com> writes:
> [Russ Allbery]

>> Hm.  I'm a little nervous about doing this as a stable update because
>> it's the sort of thing that one doesn't change in stable.  The change
>> would break people who were relying on the default to synchronize
>> passwords.  I added a NEWS.Debian entry for it when I changed it in
>> unstable, and changes in behavior at the level of a NEWS.Debian entry
>> seem like they wouldn't meet the criteria for a stable update.

> I can understand your reluctance, but believe the current default is
> simply broken for most users of the package. :/

Well, I can ask the release team and see what they think.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Russ Allbery <rra@debian.org>:
Bug#656309; Package libpam-krb5. (Wed, 18 Jan 2012 22:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Russ Allbery <rra@debian.org>. (Wed, 18 Jan 2012 22:54:06 GMT) Full text and rfc822 format available.

Message #35 received at 656309@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 656309@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 23:50:54 +0100
[Russ Allbery]
> Well, I can ask the release team and see what they think.

Great.

I've tested, and I can divert away the non-working pam-configs/krb5
and replace it with our own.  This command work to move it away:

  dpkg-divert --package debian-edu-config --rename \
    --divert /usr/share/debian-edu-config/pam-config-krb5-orig \
    --add /usr/share/pam-configs/krb5

But it would be nice if we didn't have to do this.
-- 
Happy hacking
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#656309; Package libpam-krb5. (Wed, 18 Jan 2012 22:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. (Wed, 18 Jan 2012 22:57:03 GMT) Full text and rfc822 format available.

Message #40 received at 656309@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Petter Reinholdtsen <pere@hungry.com>
Cc: 656309@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Wed, 18 Jan 2012 14:55:22 -0800
Petter Reinholdtsen <pere@hungry.com> writes:

> Great.

> I've tested, and I can divert away the non-working pam-configs/krb5
> and replace it with our own.  This command work to move it away:

>   dpkg-divert --package debian-edu-config --rename \
>     --divert /usr/share/debian-edu-config/pam-config-krb5-orig \
>     --add /usr/share/pam-configs/krb5

> But it would be nice if we didn't have to do this.

Be sure to run pam-auth-update --package after doing this, btw, just in
case it's already run.

I've filed a bug with the release team to see what they think about a
stable update.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#656309; Package libpam-krb5. (Thu, 19 Jan 2012 17:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. (Thu, 19 Jan 2012 17:33:03 GMT) Full text and rfc822 format available.

Message #45 received at 656309@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 656309@bugs.debian.org
Cc: Petter Reinholdtsen <pere@hungry.com>
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Thu, 19 Jan 2012 09:29:10 -0800
Russ Allbery <rra@debian.org> writes:
> Petter Reinholdtsen <pere@hungry.com> writes:
>> [Russ Allbery]

>>> Hm.  I'm a little nervous about doing this as a stable update because
>>> it's the sort of thing that one doesn't change in stable.  The change
>>> would break people who were relying on the default to synchronize
>>> passwords.  I added a NEWS.Debian entry for it when I changed it in
>>> unstable, and changes in behavior at the level of a NEWS.Debian entry
>>> seem like they wouldn't meet the criteria for a stable update.

>> I can understand your reluctance, but believe the current default is
>> simply broken for most users of the package. :/

> Well, I can ask the release team and see what they think.

I'm afraid the reaction of the stable release managers was pretty much the
same as my answer above: it's unfortunate that this is broken in stable,
but this sort of change is too much to take as a stable update.  I'm sorry
about that, and sorry for having sat on that bug for so long so that it
was left unfixed for squeeze.  :/

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Russ Allbery <rra@debian.org>:
Bug#656309; Package libpam-krb5. (Fri, 20 Jan 2012 06:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Russ Allbery <rra@debian.org>. (Fri, 20 Jan 2012 06:09:05 GMT) Full text and rfc822 format available.

Message #50 received at 656309@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 656309@bugs.debian.org
Subject: Re: Bug#656309: libpam-krb5: Unable to change password in the default setup
Date: Fri, 20 Jan 2012 07:05:24 +0100
[Russ Allbery]
> I'm afraid the reaction of the stable release managers was pretty much
> the same as my answer above: it's unfortunate that this is broken in
> stable, but this sort of change is too much to take as a stable
> update.  I'm sorry about that, and sorry for having sat on that bug
> for so long so that it was left unfixed for squeeze.  :/

OK.  It was a long shot.  We will use the dpkg-divert approach for
Squeeze.  It is now implemented and seem to work fine.
-- 
Happy hacking
Petter Reinholdtsen




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 17 Feb 2012 07:32:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:13:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.