Ubuntu – Changing user passwords under Kerberos/LDAP

kerberosldapopenldappassword-resetUbuntu

I've set up Kerberos/LDAP on Ubuntu 11.04 Server according to this guide. My client machines are auto-mounting NFS volumes from the server using krb5. All is good: Users can log in to any of the machines in the office and their home directories auto-mount when they do.

A user has forgotten his password. How do I — root — reset it?

It seems to me that the password must be reset both in Kerberos and in LDAP, but I haven't been able to figure out how. Things I've tried:

  1. ldappasswd – User can successfully log in but their home directory does not mount.
  2. ldapsetpasswd – Same.
  3. kinit; passwd – My understanding is that passwd hooks PAM and therefore it may be the one-stop-shop that I'm looking for to get this done. It keeps asking me — rather cryptically, I might add — for "Current Kerberos password." None of the usual suspects seem to work.

Cheers!

Best Answer

You should not tamper with the ldap password. It's probably {SASL}user@DOMAIN.TLD, which is what it always should be.

You should use kadmin.

You do not need to be root, just have the right privileges with the KDC.

example:

self@notakdc ~ $ kadmin
Authenticating as principal self/admin@DOMAIN.TLD with password.
Password for self/admin@DOMAIN.TLD: 
kadmin:  getprivs
current privileges: GET ADD MODIFY DELETE
kadmin:  cpw someuser
Enter password for principal "someuser@DOMAIN.TLD": 
Re-enter password for principal "someuser@DOMAIN.TLD": 
Password for "someuser@DOMAIN.TLD" changed.
kadmin:  quit
Related Topic