Password policy question [pam_krb5 problem]
ywang
YWang at unf.edu
Thu Feb 10 15:02:12 UTC 2005
Make the pam_cracklib use similar (slight more restrict) policy that AD uses so cracklib will catch the 'bad' password before AD does.
--Yu Wang
Information Technology Services
University of North Florida
(904) 620-2820
> -----Original Message-----
> From: pam-list-bounces at redhat.com
> [mailto:pam-list-bounces at redhat.com]On
> Behalf Of Lech Lachowicz
> Sent: Thursday, February 10, 2005 3:38 AM
> To: pam-list at redhat.com
> Subject: Password policy question [pam_krb5 problem]
>
>
> Hello.
> I'm trying to make users authenticate to Linux box through Active
> Directory.
> Everything works just fine, except changing passwords. I'm able to
> change password from Linux box, but if I type password that
> doesn't meet
> the policy on AD server I get this in logs:
>
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: configured
> realm 'MY.DOMAIN'
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flags:
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no
> ignore_afs
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag:
> user_check
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag:
> use_authtok
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no
> krb4_convert
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: warn
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ticket
> lifetime: 0
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: renewable
> lifetime: 0
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: banner:
> Kerberos 5
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ccache dir:
> /tmp
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: keytab:
> /etc/krb5.keytab
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: password
> changed for lech.lachowicz at MY.DOMAIN
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: obtaining
> credentials using new password for 'lech.lachowicz at MY.DOMAIN'
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]:
> authenticating
> 'lech.lachowicz at MY.DOMAIN' to 'krbtgt/MY.DOMAIN at MY.DOMAIN'
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]:
> krb5_get_init_creds_password(krbtgt/MY.DOMAIN at MY.DOMAIN) returned
> -1765328360 (Preauthentication failed)
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: pam_chauthtok
> returning 0 (Success)
>
> And on user terminal:
>
> [lech.lachowicz at sandbender lech.lachowicz]$ passwd
> Changing password for user lech.lachowicz.
> Kerberos 5 Password:
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updated successfully.
> [lech.lachowicz at sandbender lech.lachowicz]$
>
> Password is still the same. So my question is: what can I do to make
> pam_krb5 report an error if the password policy isn't meet.
>
> My pam.d/passwd:
>
> password required pam_cracklib.so retry=3 minlen=6 dcredit=1
> ucredit=
> password sufficient pam_unix.so nullok use_first_pass
> md5 shadow
> debug
> password required pam_krb5.so use_authtok debug
>
> --
> Pozdrawiam,
> Lech Lachowicz
>
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
>
More information about the Pam-list
mailing list