On our system, one is never able to use "passwd" to change passwords because the pam_krb5 modules assumes that if you haven't passwd PAM_UPDATE_AUTHTOK in the password module you've screwed up the protocol. This appears to be related to a comment in the README file: When is pam_sm_chauthtok() ever called with flags other than PAM_UPDATE_AUTHTOK? I found the answer on: http://www.opengroup.org/onlinepubs/8329799/pam_sm_chauthtok.htm and have created and tested a patch that seems to work. This is a very basic solution that the original author can probably elaborate upon. I'll attach the patch file and submit it upstream to Frank Cusack. Reproducible: Always Steps to Reproduce: 1. Type "passwd" 2. 3. Actual Results: passwd: Authentication token modification error Expected Results: Asked for a password, a new password, a confirm password, and made the changes. This patch might not always be necessary, I haven't dug into the PAM libraries themselves to see how they call password modules. Anyway, we have a weird setup mixing a bunch of different platforms, so it may be fairly unique. Portage 2.0.51-r14 (default-linux/x86/2004.3, gcc-3.3.5, glibc-2.3.4.20040808-r1, 2.6.7-gentoo-r5 i686) ================================================================= System uname: 2.6.7-gentoo-r5 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Oct 26 2004, 15:47:23)] distcc[8629] (dcc_mkdir) ERROR: mkdir /home/grads/sterling/.distcc/state failed: Permission denied [disabled] ccache version 2.3 [enabled] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.59-r5 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.15.92.0.2-r1 sys-devel/libtool: 1.5.2-r7 virtual/os-headers: 2.4.21-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=i686 -funroll-loops -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O3 -march=i686 -funroll-loops -fomit-frame-pointer -pipe" DISTDIR="/common/admin/linux/gentoo/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://mirror.clarkson.edu/pub/distributions/gentoo/ http://mirrors.tds.net/gentoo http://gentoo.seren.com/gentoo" MAKEOPTS="-j2" PKGDIR="/common/admin/linux/gentoo/packages/i686-lab" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage-cis" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X Xaw3d accessibility aim alsa apache2 apm arts avi berkdb bidi bitmap-fonts bonobo canna cdr cjk crypt cscope dga directfb doc dvd emacs encode esd evo f77 fam fbcon fftw flac font-server foomaticdb fortran freewnn gb gd gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml guile icq imagemagick imap imlib ipv6 jabber java jikes jpeg junit kde kerberos krb4 ldap leim libg++ libgda libwww mad maildir mcal mikmod motif mozilla mpeg mpi msn mule multislot mysql ncurses nls objc odbc oggvorbis opengl oscar oss pam pdflib perl plotutils png python qt quicktime readline samba sdl slang snmp spell sqlite ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb wmf workstation xml xml2 xmms xv yahoo zlib" Unset: LDFLAGS
Created attachment 49232 [details, diff] This patch handles the PAM_PRELIM_CHECK message but allows all else to err
It's been a long while since I posted this'n'. You guys going to look at it and at least tell me to tell the original author (which I've done, for the good that didn't do) or what?
Post the openafs-devel@openafs.org list. ;)
Marking dupe to the bump request, really all the krb issues should be reviewed after a bump. *** This bug has been marked as a duplicate of 26509 ***
