I have followed this excellent post to configure Kerberos + LDAP:
http://koo.fi/blog/2013/01/06/ubuntu-12-04-active-directory-authentication/
However, there are some local users used for services.
When I try to change the password for one of those, as root, it asks for Current Kerberos password then exits:
passwd service1
Current Kerberos password: (I hit enter)
Current Kerberos password: (I hit enter)
passwd: Authentication token manipulation error
passwd: password unchanged
If I switch to the local user and do passwd, it asks once for Kerberos then falls back to local:
$ passwd
Current Kerberos password:
Changing password for service1.
(current) UNIX password:
My configuration is similar to the site I posted above, and everything works fine, I just can't change the local users' passwords as root.
Thanks in advance for any help.
3.8.0-29-generic #42~precise1-Ubuntu
Update 1 2013-01-31:
# cat /etc/pam.d/common-auth
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
# cat /etc/pam.d/common-password
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
Best Answer
In your /etc/pam.d/common-password , change the minimum_uid in your first line to something bigger than 1000, example:
That worked for me. This is what you should see in /var/log/auth.log after changing the password for that user as root: