This article applies to UCS 4.4-7 errata904 and later versions.
Univention Corporate Server has a patched version of
libpam-heimdal (source package:
libpam-krb5), which provides the PAM module
When users have to change their password on the next login, the upstream behavior of
pam_krb5.so is to obtain a new ticket after the password change.
In UCS the
pam_krb5.so PAM module is often used in combination with other PAM modules. The interaction and order of PAM modules in the domain may cause the PAM module to attempt the ticket request against a KDC that has not yet replicated the password, especially when an AD Connector is running. This causes the passwordchange to fail.
The modified version of
pam_krb5.so in UCS will not request a kerberos ticket after the user had to change the password during a login.
If it is required for a scenario, the original upstream behavior can be re-activated by setting the UCR variable
true. The valid options for the UCR variable is
true to restore the upstream behavior, if the variable is
false or unset (default) the default UCS behavior is used.