RHEL4 and Active Directory Integration (pam_krb5) -- cannot change password

[Scott Ruckh]

I am trying to user kerberos to authenticate *NIX client accounts against
a Windows 2003 Active directory.

The kerberos packages that are installed on the Red Hat system are:

krb5-libs-1.3.4-33
krb5-devel-1.3.4-33
pam_krb5-2.1.8-1
krb5-auth-dialog-0.2-1
krb5-workstation-1.3.4-33

I have created a keytab file using the MS Windows utility ktpass.

When I log on to the Red Hat system everything works as expected and I can
see the following in the /var/log/messages file:

sshd: pam_krb5[3554]: krb5_get_init_creds_password(krbtgt/AD.NET at AD.NET)
returned 0 (Success)
pam_krb5[3554]: validating credentials
pam_krb5[3554]: TGT verified using key for 'host/vmlnx01.ad.net at AD.NET'
pam_krb5[3554]: TGT verified using key for 'host/vmlnx01.ad.net at AD.NET'
pam_krb5[3554]: got result 0 (Success)
pam_krb5[3554]: authentication succeeds for 'aduser' (aduser at AD.NET)
pam_krb5[3554]: authentication succeeds for 'aduser' (aduser at AD.NET)
pam_krb5[3554]: pam_authenticate returning 0 (Success)

At this point everything looks fine and it appears the keytab file was
used successfully.

Now if I try to issue the `passwd' command for the user who just
successfully logged on to the system, I see the following in
/var/log/messages:

passwd: pam_krb5[3589]: authenticating 'aduser at AD.NET' to
'kadmin/changepw at AD.NET'
passwd: pam_krb5[3589]:
krb5_get_init_creds_password(kadmin/changepw at AD.NET) returned 5 (Input/out
put error)
passwd: pam_krb5[3589]: Got 5 (Input/output error) acquiring credentials
for kadmin/changepw.
passwd: pam_krb5[3589]: authenticating 'aduser at AD.NET' to
'kadmin/changepw at AD.NET'
passwd: pam_krb5[3589]:
krb5_get_init_creds_password(kadmin/changepw at AD.NET) returned 0 (Success)
passwd: pam_krb5[3589]: validating credentials
passwd: pam_krb5[3589]: TGT failed verification using key for
'host/vmlnx01.ad.net at AD.NET'
passwd: pam_krb5[3589]: TGT failed verification using key for
'host/vmlnx01.ad.net at AD.NET'
passwd: pam_krb5[3589]: Got 0 (Success) acquiring credentials for
kadmin/changepw.
pam_krb5[3589]: pam_chauthtok returning 7 (Authentication failure)

Why is krb5_get_init_creds_password returning 5?

If I turn off validation (validate = false) in /etc/krb5.conf the user is
able to change their password.

The contents of /etc/pam.d/system-auth look like the following:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so minimum_uid=500
use_first_pass debug
auth        required      /lib/security/$ISA/pam_deny.so

account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so debug
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_krb5.so  minimum_uid=500
use_authok debug
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_first_pass md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so debug


Does anyone know why I can successfully authenticate and log in, but can
not change user's password?

Your help is appreciated.

Thanks.
--