This article only applies when there is no samba installed and heimdal-kerberos is used.
Problem
After changing your password the logins behave somewhat weird.
So you can login to the UMC or access Shares but it fails to authenticate agains OpenLDAP.
You can easily test this like
root@ucs:~# kinit <USER>; klist; kdestroy
root@ucs:~# univention-ldapsearch -W -s base \
-D "$( univention-ldapsearch -LLL uid=<USER> dn | sed -ne 's/dn: //p' )"
When you’re trying your old credentials the authentication against OpenLDAP still works.
General Info
The password is changed through the pam
stack so first, new kerberos keys are created and than the new password should be saved to the ldap
. When the new password didn’t meet the password restrictions it is not saved. Because the LDAP password change is executed as root
pam suppresses the warning and it appears that the password was changed successful. When you’re looking into the auth.log
you’ll find lines like
14.02.19 16:57:40.558 AUTH ( INFO ) : PAM says: ‘BAD PASSWORD: is too similar to the old one’
14.02.19 17:02:26.386 AUTH ( INFO ) : PAM says: ‘Sorry, passwords do not match.’
14.02.19 17:02:26.386 AUTH ( WARN ) : Changing password failed ((‘Failed preliminary check by password service’, 24)). Prompts: [('New password: ', 1), ('Retype new password: ', 1), (‘Sorry, passwords do not match.’, 3)]
Solution
It appears this is a caching issue so restarting heimdal-kerberos
might fix it.
systemctl restart heimdal-kdc.service