This article only applies when there is no samba installed and heimdal-kerberos is used.
After changing your password the logins behave somewhat weird.
So you can login to the UMC or access Shares but it fails to authenticate agains OpenLDAP.
You can easily test this like
root@ucs:~# kinit <USER>; klist; kdestroy root@ucs:~# univention-ldapsearch -W -s base \ -D "$( univention-ldapsearch -LLL uid=<USER> dn | sed -ne 's/dn: //p' )"
When you’re trying your old credentials the authentication against OpenLDAP still works.
The password is changed through the
pam stack so first, new kerberos keys are created and than the new password should be saved to the
ldap. When the new password didn’t meet the password restrictions it is not saved. Because the LDAP password change is executed as
root pam suppresses the warning and it appears that the password was changed successful. When you’re looking into the
auth.log you’ll find lines like
14.02.19 16:57:40.558 AUTH ( INFO ) : PAM says: ‘BAD PASSWORD: is too similar to the old one’
14.02.19 17:02:26.386 AUTH ( INFO ) : PAM says: ‘Sorry, passwords do not match.’
14.02.19 17:02:26.386 AUTH ( WARN ) : Changing password failed ((‘Failed preliminary check by password service’, 24)). Prompts: [('New password: ', 1), ('Retype new password: ', 1), (‘Sorry, passwords do not match.’, 3)]
It appears this is a caching issue so restarting
heimdal-kerberos might fix it.
systemctl restart heimdal-kdc.service