Impossible de modifier le mot de passe Kerberos avec passwd

J'ai configuré une authentification kerberos commune pour mon domaine. Après cela, ça fonctionne bien sans problèmes. Mais un user ne peut pas changer le mot de passe en utilisant la command Linux. À l'parsing, j'ai l'erreur ci-dessous dans /var/log/auth.log :

bharathi passwd [3715]: pam_unix (passwd: chauthtok): échec d'authentification; logname = test uid = 1000 euid = 0 tty = ruser = rhost = user = test

Réponse de Kerberos Admin Server.

 May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM, Additional pre-authentication required May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270888, etypes {rep=18 tkt=18 ses=18}, test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM, Additional pre-authentication required May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270907, etypes {rep=18 tkt=18 ses=18}, test@ZMEDIA.COM for kadmin/changepw@ZMEDIA.COM 

La réponse du server d'administration de kerberos semble être correcte. Je soupçonne que le problème pourrait être dans la configuration pam.d

common-auth

 # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (eg, /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. auth sufficient pam_krb5.so minimum_uid=1000 # here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_lsass.so try_first_pass # here's the fallback if no module succeeds auth requirejsite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config 

count courant

  # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # account required pam_krb5.so minimum_uid=1000 # here are the per-package modules (the "Primary" block) account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok account [success=1 new_authtok_reqd=done default=ignore] pam_lsass.so # here's the fallback if no module succeeds account requirejsite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config 

mot de passe commun

  # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password requirejsite pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_lsass.so use_authtok try_first_pass # here's the fallback if no module succeeds password requirejsite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_gnome_keyring.so # end of pam-auth-update config 

Qu'est-ce que je fais mal ici?

Votre auth.log contient l'indice suivant:

bharathi passwd [3715]: pam_unix (passwd: chauthtok): échec d'authentification; logname = test uid = 1000 euid = 0 tty = ruser = rhost = user = test

En regardant le mot de passe commun, les lignes pertinentes sont les suivantes:

mot de passe requirejs pam_krb5.so minimum_uid = 1000

Le module Kerberos-PAM ne prend en charge que les users avec uid> = 1000, ce qui est bon pour que les counts locaux fonctionnent comme root même lorsque le réseau échoue.

La requête marque ce module comme toujours requirejs, alors, dans ce cas, le succès est stocké comme résultat, mais les modules suivants sont toujours exécutés.

mot de passe [success = 2 default = ignore ] pam_unix.so obscure use_authtok try_first_pass sha512

Le module suivant est le module Unix défaillant, qui tente maintenant de changer le mot de passe dans /etc/shadow . Mais comme il s'agit d'un user Kerberos, il n'y a probablement pas d'input dans /etc/shadow . En raison de l' ignorance, cet échec est ignoré: l'erreur est toujours enregistrée, mais le résultat de la stack PAM n'est pas modifié.

Mais ensuite, le module suivant suit:

mot de passe requirejs pam_deny.so

Cela va finalement écraser le code de résultat précédent avec le refus et donc refuser la request de modification du mot de passe.

S'il suffit de changer le mot de passe de Kerbers, modifiez la requête pour Kerberos dans [success = 3 default = ignore] , ce qui sauterait les 3 modules suivants (unix, lsass, nier) pour réussir et continuer ainsi avec pam_permit.so , ce qui oblige la stack à finalement réussir.

Si, d'autre part, vos users ont les deux inputs dans / etc / shadow et dans Kerberos, et vous souhaitez que ces deux passwords soient synchronisés, il devient beaucoup plus compliqué d'avoir réussi. Quelque chose comme à suivre devrait fonctionner:

  1. Essayez d'abord de changer le mot de passe Kerberos.
  2. Si cela réussit, essayez éventuellement de modifier également le mot de passe Unix local dans /etc/shadow .
  3. Sinon, il require le changement de mot de passe Unix réussisse.

     password [success=3 user_unknown=ignore default=ignore] pam_krb5.so minimum_uid=1000 password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=2 default=ignore] pam_lsass.so use_authtok try_first_pass password requirejsite pam_deny.so password [success=ok default=ignore] pam_unix.so obscure use_authtok use_first_pass sha512 password required pam_permit.so