Bug 30425 - Password change: RDP to Windows TS fails, pam_ccreds cache is not updated, pam_mount uses old password
Password change: RDP to Windows TS fails, pam_ccreds cache is not updated, pa...
Product: Z_Univention Corporate Client (UCC)
Classification: Unclassified
Component: User logins
Other Linux
: P5 normal
: ---
Assigned To: UCC maintainers
: interim-3
: 32077 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2013-02-13 15:43 CET by Felix Botner
Modified: 2023-06-28 10:33 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2013-02-13 15:43:34 CET
A user has to change the password on the next login. If that user logs on a UCC RDP Session lightdm asks for the new password, but the session to the windows server fails. 

lightdm saves the users password to allow /usr/share/xsessions/RDP to pass the password as a parameter to the rdpclient. But this password is saved before the password change.
Comment 1 Moritz Muehlenhoff univentionstaff 2013-02-13 16:09:17 CET
The temporarily-saved password in /tmp/passwd isn't updated in that case. This needs to be handled in the PAM configuration or the script, which stores the password. As a workaround a login to a different session script can be performed.
Comment 2 Felix Botner univentionstaff 2013-04-05 10:13:34 CEST
postponed to 1.1, that only affects RDP sessions

The problem is that pam_krb5.so lets the kerberos library handle the actual password change, even if defer_pwchange is activated (as in UCC). Therefore the new password never appears in pam_krb5.so and can not be internally stored. Also, the password change is done in the authentication part (auth ... pam_krb5.so), not in common-password.

Normally, the pam module stores the new password in PAM_AUTHTOK after a password change and pam_runasroot exports this password.


   retval = pam_get_item ( pamh, PAM_AUTHTOK, (const void **) &password );
   setenv ( "PASSWD", password, 1 );

But with pam_kerb5.so the new password is not saved in PAM_AUTHTOK.

I have added a bit of debugging in pam_krb5.so (ssh login with a user that has to change password):

@@ -710,6 +710,7 @@
                 goto done;
             pam_get_item(args->pamh, authtok, (PAM_CONST void **) &pass);
+  putil_debug(args, "password %s", pass);
@@ -744,15 +746,20 @@
         if (!do_only_alt) {
+  putil_debug(args, "k5login_password_auth|krb5_get_init_creds_password");
             if (args->config->search_k5login) {
+  putil_debug(args, "k5login_password_auth");
                 success = k5login_password_auth(args, *creds, opts, service,
                               pass, &retval);
             } else {
+  putil_debug(args, "krb5_get_init_creds_password");
                 retval = krb5_get_init_creds_password(ctx->context, *creds,
                               ctx->princ, pass, pamk5_prompter_krb5, args, 0,
                               (char *) service, opts);
+  putil_debug(args, "krb5_get_init_creds_password end");
                 success = (retval == 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
+  putil_debug(args, "success: %d", success);
@@ -778,6 +788,7 @@
          * we failed, make sure retval is not 0 out of paranoia, since later
          * on all we care about is retval.
+  putil_debug(args, "password %s", pass);
         if (success == PAM_SUCCESS)
         else if (retval == 0)


pam_krb5(sshd:auth): pam_sm_authenticate: entry (nonull)
pam_krb5(sshd:auth): (user test2) defer_pwchange 0
pam_krb5(sshd:auth): (user test2) attempting authentication as test2@TEST.FB


pam_krb5(sshd:auth): (user test2) password univention
pam_krb5(sshd:auth): (user test2) k5login_password_auth|krb5_get_init_creds_password
pam_krb5(sshd:auth): (user test2) krb5_get_init_creds_password


pam_krb5(sshd:auth): (user test2) krb5_get_init_creds_password end
pam_krb5(sshd:auth): (user test2) success: 0
pam_krb5(sshd:auth): (user test2) password univention
pam_krb5(sshd:auth): (user test2) pamk5_password_auth 0
pam_krb5(sshd:auth): user test2 authenticated as test2@TEST.FB
pam_krb5(sshd:auth): pam_sm_authenticate: exit (success)
PAM-runasroot[23793]: continuing as normal user
PAM-runasroot[23793]: continuing as normal user


It seems, that the password change is done in krb5_get_init_creds_password from libkrb5.so.26.

So i don't see how to get the password here, maybe there is a way in lightdm or the greeter.
Comment 3 Felix Botner univentionstaff 2014-05-08 15:11:14 CEST
*** Bug 32077 has been marked as a duplicate of this bug. ***
Comment 4 Felix Botner univentionstaff 2014-05-08 16:16:56 CEST
Still the same...

libpam-krb5-4.6/auth.c:password_auth calls "krb5_get_init_creds_password" from libkrb5.so (libkrb5-26-heimdal) the authenticate/handle password change. But the new password is never returned to libpam-krb5 an therefore can't be stored in AUTHTOK.
Comment 5 Moritz Muehlenhoff univentionstaff 2014-05-19 09:12:00 CEST
While there's no immediate fix possible, I'm moving it to errata for now: We should raise this issue upstream, maybe a workaround can be implemented in LightDM.
Comment 6 Felix Botner univentionstaff 2014-09-25 09:21:31 CEST
See also Bug 35333, this problem causes multiple issue's (rdp login -> pam_runasroot.so save_pass, pam_ccreds, pam_mount) because all subsequent pam modules use a wrong (the old) password.

Maybe we could export the new password in heimdal->krb5_get_init_creds_password() and than set the PAM_AUTHTOK pam_krb5->password_auth() to this value?
Comment 7 Stefan Gohmann univentionstaff 2015-04-01 06:01:32 CEST
Remove errata status. If it is critical in any environment, please comment this issue.
Comment 8 Philipp Hahn univentionstaff 2023-06-28 10:30:34 CEST
UCC is EoL