Password policy question [pam_krb5 problem]

ywang YWang at unf.edu
Thu Feb 10 15:02:12 UTC 2005 

Make the pam_cracklib use similar (slight more restrict) policy that AD uses so cracklib will catch the 'bad' password before AD does.

--Yu Wang

Information Technology Services
University of North Florida
(904) 620-2820



> -----Original Message-----
> From: pam-list-bounces at redhat.com 
> [mailto:pam-list-bounces at redhat.com]On
> Behalf Of Lech Lachowicz
> Sent: Thursday, February 10, 2005 3:38 AM
> To: pam-list at redhat.com
> Subject: Password policy question [pam_krb5 problem]
> 
> 
> Hello.
> I'm trying to make users authenticate to Linux box through Active
> Directory. 
> Everything works just fine, except changing passwords. I'm able to
> change password from Linux box, but if I type password that 
> doesn't meet
> the policy on AD server I get this in logs:
> 
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: configured
> realm 'MY.DOMAIN'
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flags:
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no
> ignore_afs
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag:
> user_check
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag:
> use_authtok
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no
> krb4_convert
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: warn
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ticket
> lifetime: 0
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: renewable
> lifetime: 0
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: banner:
> Kerberos 5
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ccache dir:
> /tmp
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: keytab:
> /etc/krb5.keytab
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: password
> changed for lech.lachowicz at MY.DOMAIN
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: obtaining
> credentials using new password for 'lech.lachowicz at MY.DOMAIN'
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: 
> authenticating
> 'lech.lachowicz at MY.DOMAIN' to 'krbtgt/MY.DOMAIN at MY.DOMAIN'
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]:
> krb5_get_init_creds_password(krbtgt/MY.DOMAIN at MY.DOMAIN) returned
> -1765328360 (Preauthentication failed)
> Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: pam_chauthtok
> returning 0 (Success)
> 
> And on user terminal:
> 
> [lech.lachowicz at sandbender lech.lachowicz]$ passwd
> Changing password for user lech.lachowicz.
> Kerberos 5 Password: 
> New UNIX password: 
> Retype new UNIX password: 
> passwd: all authentication tokens updated successfully.
> [lech.lachowicz at sandbender lech.lachowicz]$
> 
> Password is still the same. So my question is: what can I do to make
> pam_krb5 report an error if the password policy isn't meet.
> 
> My pam.d/passwd:
> 
> password    required       pam_cracklib.so retry=3 minlen=6  dcredit=1
> ucredit=
> password    sufficient     pam_unix.so nullok use_first_pass 
> md5 shadow
> debug
> password    required       pam_krb5.so use_authtok debug
> 
> --
> Pozdrawiam,
> Lech Lachowicz
> 
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
> 
>

More information about the Pam-list mailing list