stick's corner » kerberos http://stick.gk2.sk Look at you, hacker. A pathetic creature of meat and bone. How can you challenge a perfect, immortal machine? Mon, 26 Jul 2010 16:31:32 +0000 en hourly 1 http://wordpress.org/?v=3.0 useradd and passwd vs. Kerberos http://stick.gk2.sk/blog/2009/11/useradd-passwd-vs-kerberos/ http://stick.gk2.sk/blog/2009/11/useradd-passwd-vs-kerberos/#comments Sat, 14 Nov 2009 00:20:25 +0000 Pavol Rusnak http://stick.gk2.sk/?p=884 Kerberos
At work we use LDAP and Kerberos authentication for users. During the testing of openSUSE 11.2, me and my other two colleagues (mmarek and mseben) have encountered problem that one cannot change the local password of user added with useradd. Running passwd user jumps directly to setting krb5 password. This was reported as bnc#545724.

It turned out that this is caused by the line:

password  [default=ignore success=1]  pam_succeed_if.so  uid > 999  quiet

which is added to /etc/pam.d/common-password-pc by pam-config during the installation, when Kerberos is enabled.

So the question is: How to add local users with local password (e.g. for testing purposes)? You can add so-called system-users by using useradd -r username (these will be given UID < 1000 and thus will not be handled by Kerberos). There is a catch, though. You cannot login as this user, because it’s shell is set to /bin/false by default. You can change it in /etc/passwd or, more cleanly, specify the shell immediately when creating the user:

useradd -r username -s /bin/bash
]]> http://stick.gk2.sk/blog/2009/11/useradd-passwd-vs-kerberos/feed/ 2