Problem: Login after password change fails

This article only applies when there is no samba installed and heimdal-kerberos is used.

Problem

After changing your password the logins behave somewhat weird.
So you can login to the UMC or access Shares but it fails to authenticate agains OpenLDAP.

You can easily test this like

root@ucs:~# kinit <USER>; klist; kdestroy

root@ucs:~# univention-ldapsearch -W -s base \
  -D "$( univention-ldapsearch -LLL uid=<USER> dn | sed -ne 's/dn: //p' )"

When you’re trying your old credentials the authentication against OpenLDAP still works.

General Info

The password is changed through the pam stack so first, new kerberos keys are created and than the new password should be saved to the ldap. When the new password didn’t meet the password restrictions it is not saved. Because the LDAP password change is executed as root pam suppresses the warning and it appears that the password was changed successful. When you’re looking into the auth.log you’ll find lines like

14.02.19 16:57:40.558 AUTH ( INFO ) : PAM says: ‘BAD PASSWORD: is too similar to the old one’
14.02.19 17:02:26.386 AUTH ( INFO ) : PAM says: ‘Sorry, passwords do not match.’
14.02.19 17:02:26.386 AUTH ( WARN ) : Changing password failed ((‘Failed preliminary check by password service’, 24)). Prompts: [('New password: ', 1), ('Retype new password: ', 1), (‘Sorry, passwords do not match.’, 3)]

Solution

It appears this is a caching issue so restarting heimdal-kerberos might fix it.

systemctl restart heimdal-kdc.service
Mastodon