Password policy question [pam_krb5 problem]

Lech Lachowicz Lech.Lachowicz at polkomtel.com.pl
Thu Feb 10 08:37:59 UTC 2005 

Hello.
I'm trying to make users authenticate to Linux box through Active
Directory. 
Everything works just fine, except changing passwords. I'm able to
change password from Linux box, but if I type password that doesn't meet
the policy on AD server I get this in logs:

Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: configured
realm 'MY.DOMAIN'
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flags:
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no
ignore_afs
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag:
user_check
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag:
use_authtok
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no
krb4_convert
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: warn
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ticket
lifetime: 0
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: renewable
lifetime: 0
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: banner:
Kerberos 5
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ccache dir:
/tmp
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: keytab:
/etc/krb5.keytab
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: password
changed for lech.lachowicz at MY.DOMAIN
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: obtaining
credentials using new password for 'lech.lachowicz at MY.DOMAIN'
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: authenticating
'lech.lachowicz at MY.DOMAIN' to 'krbtgt/MY.DOMAIN at MY.DOMAIN'
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]:
krb5_get_init_creds_password(krbtgt/MY.DOMAIN at MY.DOMAIN) returned
-1765328360 (Preauthentication failed)
Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: pam_chauthtok
returning 0 (Success)

And on user terminal:

[lech.lachowicz at sandbender lech.lachowicz]$ passwd
Changing password for user lech.lachowicz.
Kerberos 5 Password: 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
[lech.lachowicz at sandbender lech.lachowicz]$

Password is still the same. So my question is: what can I do to make
pam_krb5 report an error if the password policy isn't meet.

My pam.d/passwd:

password    required       pam_cracklib.so retry=3 minlen=6  dcredit=1
ucredit=
password    sufficient     pam_unix.so nullok use_first_pass md5 shadow
debug
password    required       pam_krb5.so use_authtok debug

--
Pozdrawiam,
Lech Lachowicz

More information about the Pam-list mailing list