Changing user passwords under Kerberos/LDAP
Solution 1
You should not tamper with the ldap password. It's probably {SASL}[email protected], which is what it always should be.
You should use kadmin.
You do not need to be root, just have the right privileges with the KDC.
example:
self@notakdc ~ $ kadmin
Authenticating as principal self/[email protected] with password.
Password for self/[email protected]:
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
kadmin: cpw someuser
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Password for "[email protected]" changed.
kadmin: quit
Solution 2
Maybe with kpasswd? Also, if you happen to use Heimdal instead of MIT Krb, there is a nifty overlay for OpenLDAP that keeps the LDAP, Samba and Kerberos passwords in sync if you use the Modify Password LDAP exop.
Related videos on Youtube
04 : 19
10 : 30
16 : 47
08 : 18
01 : 54
BrianTheLion
Updated on September 18, 2022Comments
-
BrianTheLion over 1 year
I've set up Kerberos/LDAP on Ubuntu 11.04 Server according to this guide. My client machines are auto-mounting NFS volumes from the server using krb5. All is good: Users can log in to any of the machines in the office and their home directories auto-mount when they do.
A user has forgotten his password. How do I -- root -- reset it?
It seems to me that the password must be reset both in Kerberos and in LDAP, but I haven't been able to figure out how. Things I've tried:
-
ldappasswd- User can successfully log in but their home directory does not mount. -
ldapsetpasswd- Same. -
kinit; passwd- My understanding is that passwd hooks PAM and therefore it may be the one-stop-shop that I'm looking for to get this done. It keeps asking me -- rather cryptically, I might add -- for "Current Kerberos password." None of the usual suspects seem to work.
Cheers!
-
-
yrk over 12 years
kpasswdrequires knowledge of the old password.
