[Freeipa-users] pam settings for changing password under FreeIPA

Thu Oct 23 17:00:29 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

As I mentioned previously, I've been trialling FreeIPA for the
Bioinformatics Group at Manchester University.

Generally, things are going well: our primary FreeIPA server is a Fedora
9 machine, and we are replicating matters over to a Centos 5.2 box (we
built and installed the RPMs from the freeipa-1.1.1 release on these).

Where we are hitting trouble, however, is in devising the correct pam
and ssh settings to allow users to reset their passwords on client
machines (which could be their desktops or servers that they access
remotely over ssh).

We are even having trouble with the case where the client is a Fedora 9 VM.

Here we have in /etc/pam.d/system-auth:

password    requisite     pam_cracklib.so 	try_first_pass retry=3
password    sufficient    pam_unix.so 		md5 shadow nullok \							
try_first_pass \ 								use_authtok
password    sufficient    pam_krb5.so 		use_authtok
password    required      pam_ldap.so     	try_first_pass use_authtok
password    required      pam_deny.so

And in /etc/ssh/sshd:

PasswordAuthentication no
ChallengeResponseAuthentication yes
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes

Now when a user whose password has been reset on one of the freeipa
servers attempts to log in, he or she is informed that the password
expired, and is prompted to change it, the change fails with errors like

Oct 23 17:47:42 c*******h sshd[20920]: pam_unix(sshd:chauthtok): user
"m****" does not exist in /etc/passwd
Oct 23 17:48:14 c*******h sshd[20920]: pam_krb5[20920]: password change
failed for m****@S***H.MAN.AC.UK: Cannot contact any KDC for requested realm
Oct 23 17:48:14 c*******h sshd[20918]: error: PAM: Authentication token
manipulation error for m**** from l***.s***h.man.ac.uk

on the client, and

Oct 23 17:47:59 i*******h kpasswd[27429]: Unable to read request: Key
version number for principal in key table is incorrect

on the freeipa server.

In fact the only case where we have this working at present is when the
client is OpenSuSE-11: that is using pam_krb5-2.2.22-35.2.

Could anyone suggest some guidelines for arriving at the winning
combination of settings?

Many thanks in advance,

[NG]

- --
N.J. Gresham
FLS/IS AIO
Systems Administration and Support

University of Manchester
Faculty of Life Sciences

int: 7759349
ext: 0790-989-3684

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEUEARECAAYFAkkAra0ACgkQoqZzfMI0UdmnkwCcC2Gl3ZJ151eubWdwRrlYb0GY
8mAAl3LZk5GgM8j4xU4fnGefPQROzVY=
=MrSy
-----END PGP SIGNATURE-----