[SOLVED] kerberos passwd: Authentication token manipulation error

mfoley · 12-18-2015, 03:34 PM

I've just upgraded to Ubuntu 15.10 using the Live CD over an existing 14.04 version. Users that were configured before were lost from /etc/passwd, so I'm trying to re-add them. useradd works find, but when I try (as root) to set the password I get:

# passwd username
Current Kerberos password:
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged

I've tried the pre-upgrade password for this user, but that didn't work. I don't even know why it's asking about Kerberos -- I just want this password set it passwd/shadow. I don't recall this question being asked before.

This is a bit of a pain for an otherwise pretty straightforward update.

How do I fix this?

pnbalaji · 12-22-2015, 06:09 PM

try renaming your /etc/krb5.conf to something else and retry the passwd command.

Thanks,
Balaji.

mfoley · 12-26-2015, 08:19 PM

Quote:

Originally Posted by pnbalaji

try renaming your /etc/krb5.conf to something else and retry the passwd command.

Thanks,
Balaji.

Nope. That didn't even give me a prompt to change the pw:

root@labrat:~# mv /etc/krb5.conf /etc/krb5.conf-save
root@labrat:~# passwd mfoley
passwd: Authentication token manipulation error
passwd: password unchanged
root@labrat:~#

pnbalaji · 12-27-2015, 08:58 PM

You could try the following options.

1. Rename /etc/ssh/ssh_config to something else.
2. Remove krb5-user package from the system
3. Reboot and try changing the password.

If the above steps doesn't work, you should probably try to change your root password by booting from a livecd.

Follow the links below.

http://unixlab.blogspot.in/2009/08/r...h-live-cd.html
http://blog.zwiegnet.com/linux-serve...e-cd-centos-6/

Thanks,
Balaji.

mfoley · 12-29-2015, 01:00 AM

Quote:

Originally Posted by pnbalaji

You could try the following options.

1. Rename /etc/ssh/ssh_config to something else.
2. Remove krb5-user package from the system
3. Reboot and try changing the password.

If the above steps doesn't work, you should probably try to change your root password by booting from a livecd.

Follow the links below.

[deleted]

I can change the root password without problem. I have the problem with other local users in /etc/passwd. I'd really rather not experiment with removing the krb5-user package just yet. I do need Kerberos for AD authentication.

I tried restoring my 14.04 backup to see if this was a 15.10 issue, but it's not. Same problem with 14.04.

Interestingly, I can log on as a local user (user created and password set before installing Kerberos), but even as that user, if I try to change the password I get the "Current Kerberos password" prompt and subsequent error. So successfully logged in local users can no longer change their passwords! This seems like a pretty serious bug! Surely I'm not the only one experiencing this?! Calling all Kerberos experts!

I'll check with the fellow who helped me set Kerberos up in the first place and post back.

pnbalaji · 12-29-2015, 04:51 AM

Can you try the following?

1. Obtain a new kerberos token using the command "kinit {userid}"
2. Now try changing the password using the command "passwd {userid}"

Thanks,
Balaji.,

mfoley · 12-30-2015, 01:14 PM

Quote:

Originally Posted by pnbalaji

Can you try the following?

1. Obtain a new kerberos token using the command "kinit {userid}"
2. Now try changing the password using the command "passwd {userid}"

Thanks,
Balaji.,

I get (tried as the user and as root):

mfoley@labrat:~$ kinit mfoley
kinit: Cannot find KDC for realm "HPRS" while getting initial credentials

my krb5.conf:

Code:

[libdefaults]
        default_realm = HPRS
        dns_lookup_realm = false
        dns_lookup_kdc = true

my /etc/samba/smb.conf:

Code:

[global]
  netbios name = labrat
  workgroup = HPRS
  security = ADS
  realm = HPRS.LOCAL
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HPRS:backend = ad
  idmap config HPRS:schema_mode = rfc2307
  idmap config HPRS:range = 10000-10099

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

This is driving me crazy!

mfoley · 12-30-2015, 10:44 PM

Quote:

Originally Posted by pnbalaji

You could try the following options.

1. Rename /etc/ssh/ssh_config to something else.
2. Remove krb5-user package from the system
3. Reboot and try changing the password.

[deleted]

Thanks,
Balaji.

Balaji - Since I reverted back to 15.10, I had the opportunity to go ahead and uninstall kerberos. I did:

apt-get remove krb5-config libpam-krb5 krb5-user ssh-krb5

and yes, I was able to change the local user password. This means that the krb5.conf and smb.conf files I posted in my last posting are totally irrelevant. I got the "Current Kerberos password" prompt and "Authentication token manipulation error" with the vanilla, as-installed Kerberos and samba config files.

This indicates to me that ANYONE who has installed Kerberos on Linux (or at least Ubuntu) have all run into this same problem. I would think the solution would be all over the net, but I've found nothing yet!

pnbalaji · 12-30-2015, 11:31 PM

Usually Kerberos is setup with the company's active directory and I am not sure whether we will be able to change from our local machine. If you are on your work PC or laptop, it might work.

Thanks,
Balaji.

mfoley · 01-07-2016, 12:56 PM

Quote:

Originally Posted by pnbalaji

Usually Kerberos is setup with the company's active directory and I am not sure whether we will be able to change from our local machine. If you are on your work PC or laptop, it might work.

Thanks,
Balaji.

Yes, it was set up having to do with the Active Directory, and I suppose it is working find for domain users. However, this issue is with a local user on the Linux workstation (the workstation is a member of the domain). The local user is NOT a domain user and I would think I should be able to change his password w/o interference by Kerberos. Perhaps there is some setting somewhere? Below is my /etc/pam.d/common-password file. Perhaps these specify things to try in some particular order and I need to add or re-arrange? I'm no guru on this, so I need advice.

Code:

password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

Also, the UID of the user in question is 1001. Perhaps changing the "minimum_uid" value in the above file would work?

mfoley · 01-07-2016, 01:16 PM

In fact, that worked! I change the line in /etc/pam.d/common-password to

password [success=3 default=ignore] pam_krb5.so minimum_uid=10000

and I am now able to change local users (domain uses start at UID 10000)

pnbalaji · 01-07-2016, 08:59 PM

The safest way is to login into the domain and then change the password. There are products available (Centrify, likewise-open etc) that allows one to login into the domain.

Thanks,
Balaji.

mfoley · 01-08-2016, 10:21 AM

Domain users have no problem logging in. This problem was for a local user (in /etc/passwd only) that is normally not an interactive user, i.e. use for running batch/cron jobs.

But, you bring up a good point. How do domain users change their own passwords? I've tried passwd in a terminal session and "Passwords and Keys" from the desktop utilities. Neither work. Do you have any ideas? I'll have to research ...