Home > Blog > useradd and passwd vs. Kerberos

useradd and passwd vs. Kerberos
1 star2 stars3 stars4 stars5 stars
(votes: 2, avg: 4.50)
Loading ... Loading ...

November 14th, 2009 Leave a comment Go to comments

Kerberos
At work we use LDAP and Kerberos authentication for users. During the testing of openSUSE 11.2, me and my other two colleagues (mmarek and mseben) have encountered problem that one cannot change the local password of user added with useradd. Running passwd user jumps directly to setting krb5 password. This was reported as bnc#545724.

It turned out that this is caused by the line:

password  [default=ignore success=1]  pam_succeed_if.so  uid > 999  quiet

which is added to /etc/pam.d/common-password-pc by pam-config during the installation, when Kerberos is enabled.

So the question is: How to add local users with local password (e.g. for testing purposes)? You can add so-called system-users by using useradd -r username (these will be given UID < 1000 and thus will not be handled by Kerberos). There is a catch, though. You cannot login as this user, because it’s shell is set to /bin/false by default. You can change it in /etc/passwd or, more cleanly, specify the shell immediately when creating the user:

useradd -r username -s /bin/bash
Tags: ,
  1. cjk
    November 21st, 2009 at 18:30 | #1 | Mozilla 1.9.1.4openSUSE
    Reply | Quote

    Mh, local user with a system UID. That sounds like a layering violation.

  2. black_caeser
    April 7th, 2012 at 22:16 | #2 | Opera 11.62Windows 7 x64 Edition
    Reply | Quote

    A way better method would be to change minimum_uid in /etc/pam.d/common-password …
    E.g. if your ldap users all have numerical uids greater than 2000 (which is the default), use

    password requisite pam_krb5.so minimum_uid=2000

  1. November 14th, 2009 at 15:49 | #1 | WordPress 2.8.6
    Novell News Summary – Part I: OpenSUSE 11.2 Release | Boycott Novell
or