"Daniel Richard G." <sk...@iskunk.org> writes: > Okay, here is /etc/pam.d/common-auth:
> auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 > auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass > auth requisite pam_deny.so > auth required pam_permit.so > And here is /etc/pam.d/common-password: > password requisite pam_krb5.so minimum_uid=1000 > password [success=1 default=ignore] pam_unix.so obscure use_authtok > try_first_pass sha512 Yeah, I suspect it would do what you want if you made this match the common-auth configuration. > password requisite pam_deny.so > password required pam_permit.so > (Both of these were produced by pam-auth-update, from stock PAM > profiles.) > In the auth stack, pam_krb5 succeeding is enough to allow login. Why > doesn't the PAM profile for libpam-krb5 likewise specify "[success=end > default=ignore]" for the password stack? As things are, you get > inconsistent behavior between the two stacks. It was the way Steve implemented this originally, and I remember that he had some rationale for it, but I don't remember what it is. :/ I'll ask him separately. It may be that they should change. Thanks, that gets me pointed in the right direction. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/826989 Title: Cannot change Kerberos password with passwd(1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
