Changing user passwords under Kerberos/LDAP
Solution 1
You should not tamper with the ldap password. It's probably {SASL}[email protected]
, which is what it always should be.
You should use kadmin
.
You do not need to be root, just have the right privileges with the KDC.
example:
self@notakdc ~ $ kadmin
Authenticating as principal self/[email protected] with password.
Password for self/[email protected]:
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
kadmin: cpw someuser
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Password for "[email protected]" changed.
kadmin: quit
Solution 2
Maybe with kpasswd? Also, if you happen to use Heimdal instead of MIT Krb, there is a nifty overlay for OpenLDAP that keeps the LDAP, Samba and Kerberos passwords in sync if you use the Modify Password LDAP exop.
Related videos on Youtube
BrianTheLion
Updated on September 18, 2022Comments
-
BrianTheLion over 1 year
I've set up Kerberos/LDAP on Ubuntu 11.04 Server according to this guide. My client machines are auto-mounting NFS volumes from the server using krb5. All is good: Users can log in to any of the machines in the office and their home directories auto-mount when they do.
A user has forgotten his password. How do I -- root -- reset it?
It seems to me that the password must be reset both in Kerberos and in LDAP, but I haven't been able to figure out how. Things I've tried:
-
ldappasswd
- User can successfully log in but their home directory does not mount. -
ldapsetpasswd
- Same. -
kinit; passwd
- My understanding is that passwd hooks PAM and therefore it may be the one-stop-shop that I'm looking for to get this done. It keeps asking me -- rather cryptically, I might add -- for "Current Kerberos password." None of the usual suspects seem to work.
Cheers!
-
-
yrk over 12 years
kpasswd
requires knowledge of the old password.