Passwordchange via Kerberos - No ticket immediately after pwchage

This article applies to UCS 4.4-7 errata904 and later versions.

Univention Corporate Server has a patched version of libpam-heimdal (source package: libpam-krb5), which provides the PAM module pam_krb5.so

When users have to change their password on the next login, the upstream behavior of pam_krb5.so is to obtain a new ticket after the password change.

In UCS the pam_krb5.so PAM module is often used in combination with other PAM modules. The interaction and order of PAM modules in the domain may cause the PAM module to attempt the ticket request against a KDC that has not yet replicated the password, especially when an AD Connector is running. This causes the passwordchange to fail.

The modified version of pam_krb5.so in UCS will not request a kerberos ticket after the user had to change the password during a login.

If it is required for a scenario, the original upstream behavior can be re-activated by setting the UCR variable pam/krb5/ticket_after_pwchange to true. The valid options for the UCR variable is true to restore the upstream behavior, if the variable is false or unset (default) the default UCS behavior is used.

2 Likes