in your setup, the shadow information is interpreted by pam_unix (not pam_ldap), but, assuming you have no local user, still comes from LDAP (via nss_ldap). Please check if your user has the auxiliary objectclass shadowAccount configured, and check the associated attributes (specifically shadowLastChange, shadowMax and shadowExpire). If I had to venture a guess I would say that changing the password via kerberos works correctly, but then libnss-ldap does not have enough permissions to update shadowLastChange, which fails silently, but causes pam_unix to prompt for another password update. Depending on your exact Kerberos configuration, if your kerberos passwords are stored in the LDAP server anyhow, you might want to consider pam_ldap for password updates. If you do, make sure TLS or SSL works correctly between the user-facing hosts and the LDAP server.
-- libpam-krb5 default configuration does not allow login for LDAP users https://bugs.launchpad.net/bugs/411249 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
