[5436] in Release_7.7_team
Re: Status update on replacing Athena login with PAM modules
daemon@ATHENA.MIT.EDU (Robert Basch)
Wed Mar 29 17:42:43 2006
In-Reply-To: <9EE9ADCF-18D1-458E-A7D1-13D270A05EAF@MIT.EDU>
Mime-Version: 1.0 (Apple Message framework v746.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <37DE9124-D4E4-45A1-82C8-5D84AC2BD249@mit.edu>
Cc: Greg Hudson <ghudson@mit.edu>, release-team@mit.edu
Content-Transfer-Encoding: 7bit
From: Robert Basch <rbasch@MIT.EDU>
Date: Wed, 29 Mar 2006 17:42:37 -0500
To: Robert Basch <rbasch@mit.edu>
X-Spam-Score: 1.217
X-Spam-Level: * (1.217)
X-Spam-Flag: NO
> when TGT verification is enabled,
> password changing via pam_krb5 seems to fail reproducibly, with
> "Authentication token manipulation error". I will look into this
> further...
pam_krb5 indeed tries to verify the kadmin/changepw credentials
obtained when changing the password, if TGT verification is
enabled. I submitted a bug report with correcting patch to Red Hat
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187303).
One other note: when the pam_cracklib module is used, by default
it prompts for the "New UNIX password"; by specifying the option
"type=" in /etc/pam.d/system-auth, the prompt will simply be
"New password".
Bob
