likewise-open prevents local passwords from being changed

Confirming...
Once likewise-open is installed (whether a domain is joined or not), running "passwd" to change a local password fails: it never prompts for a new password. (Changing a domain password works.)

It also always returns "passwd: password updated successfully"

I suppose there is something wrong in the PAM stack:
password [success=2 default=ignore] pam_lwidentity.so
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so

use_authtok forces pam_unix.so use the password entered for pam_lwidentity.so... but if the user is not in the domain there is no such token. There is little to gain in reusing passwords between pam_lwidentity.so and pam_unix.so, since they aren't targeting the same users...

As a dirty workaround "use_authtok" can be removed from /etc/pam.d/common-password:
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
(that change will be overridden next time pam-auth-update is run)

The reason for reusing the passwords between modules is to ensure the user is only prompted for a new password once.

There is no "try_authtok" equivalent to "try_first_pass", and special-casing pam_lwidentity in pam-auth-update would not be a good idea. I think pam_lwidentity needs to prompt for and store the new password, even if it won't use it itself, otherwise there's no way for us to have a completely pluggable stack.

Also, if the return code here is "password updated successfully", then I think that implies pam_lwidentity.so is incorrectly returning PAM_SUCCESS for users it doesn't know about. It shouldn't do this - it should return a sensible return value that lets the administrator construct a useful stack, instead of presuming that PAM_SUCCESS is wanted.

BTW, installing pam_cracklib may (or may not) work around this.

Thanks for the analysis. Saves me some work. I'll get a local repo and see what I can do.

Thanks for the analysis, this should indeed be fixed in pam_lwidentity.so rather than specialcasing pam_lwidentity.so in the pam stack building tools.

I also ran into this issue... but with even more dire results.

I can login with domain accounts, but not local accounts. Even the local admin account no longer works which means I can't even get updates.

If I boot with

    rw init=/bin/bash

and then try to reset the local admin users password I get "Authentication token manipulation error".

I should have said, everything seemed fine with local user access until today.

Today I did updates and installed vmware server, before I found I could no longer log in using a local account.

Ubuntu 8.10/AMD64. Likewise Open was installed using the DEB from likewise rather than the repository version.

Now I don't believe it is vmware that has caused the issue, more probably the updates I received.

vmware is having its own issues of course due to a keyboard mapping issue in Ubuntu but this seems to be a known bug with a workaround that hopefully will work tomorrow when I am back at work.

I have now got access to root by adding my domain users group to the sudoers file so I can manage.

Everything was good in 8.04. I just needed to change to 64 bit...

Let me know if you need more info and how to get it...

Buddha: The DEB from likewise may be slightly different from the official Ubuntu one. And the issue you're experiencing looks slightly different from the original poster's one. If you're not using the Ubuntu-packaged version of likewise-open, please file directly bugs upstream (http://lobugs.likewisesoftware.com/). If you can reproduce your issue with Ubuntu-packaged version of Likewise Open, please file a new bug here.

I can confirm that installing libpam-cracklib works around the issue: it stacks a pam_cracklib module in first position that correctly stores old/new passwords for later modules.

I thought that might be the answer...

The Ubuntu release is 4.x and the Likewise release is 5.x

I will try removing myself from the domain uninstalling and then
reinstalling ... But will wait until closer to Xmas in case I end up with
a non-functioning computer.

2008/12/3 Thierry Carrez <email address hidden>

> Buddha: The DEB from likewise may be slightly different from the
> official Ubuntu one. And the issue you're experiencing looks slightly
> different from the original poster's one. If you're not using the
> Ubuntu-packaged version of likewise-open, please file directly bugs
> upstream (http://lobugs.likewisesoftware.com/). If you can reproduce
> your issue with Ubuntu-packaged version of Likewise Open, please file a
> new bug here.
>
> --
> likewise-open prevents local passwords from being changed
> https://bugs.launchpad.net/bugs/302026
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I confirm this bug on kubuntu 8.10 and on current jaunty (as of today's date).
I didnt realise it was due to likewise install....
1) After editing the common-password file i was able to change passwords fine :)
2) I have also installed libpam-cracklib to make sure a new update doesn't recreate the problem

thanks for the pointers ;)

When the bug will be fixed?

Not sure it will. I was using likewise 5 (package sourced from likewise not
ubuntu) on Ubuntu 8.04 which was not supported by Ubuntu at the time.

I reinstalled everything and am now running likewise 5 on 9.04. Have had
no issues so far. Likewise 5 is now in the Ubuntu repositories so if the
problem re-occurs it should be easier to get a resolution (without resorting
to a reinstall).

2009/4/21 Alen <email address hidden>

> When the bug will be fixed?
>
> --
> likewise-open prevents local passwords from being changed
> https://bugs.launchpad.net/bugs/302026
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I am also having this issue, but passwd doesn't give me the password successfully changed message, but give me...

# passwd allen
passwd: Authentication token manipulation error
passwd: password unchanged

If I comment out the entries containing /lib/security/pam_lsass.so from common_auth, common_password, and common_account, I can change passwords and su to local users, but I can no longer authenticate my domain account, which was expected.

This problem started occurring after running update. When I first installed likewise 5.1 on ubuntu 8.10, I did not have any problems using domain or local accounts.

That is exactly what happened to me. Save versions etc.

Basically there will not be a fix. Likewise 5 is not supported on ubuntu
8.1...

I am still having no issue with Likewise 5 on Ubuntu 9.04. Am awaiting the
first pam update though with some nervousness as I believe that this was
what caused my issue.

Will make sure I take a full backup of /etc before applying any updates.

2009/4/25 atin <email address hidden>

> I am also having this issue, but passwd doesn't give me the password
> successfully changed message, but give me...
>
> # passwd allen
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> If I comment out the entries containing /lib/security/pam_lsass.so from
> common_auth, common_password, and common_account, I can change passwords
> and su to local users, but I can no longer authenticate my domain
> account, which was expected.
>
> This problem started occurring after running update. When I first
> installed likewise 5.1 on ubuntu 8.10, I did not have any problems using
> domain or local accounts.
>
> --
> likewise-open prevents local passwords from being changed
> https://bugs.launchpad.net/bugs/302026
> You received this bug notification because you are a direct subscriber
> of the bug.
>

im using 4.1.2982-likewise-1 on ubuntu 8.10 server
not only that it does not allow to change local password it also crashes and its not usable at all.
ubuntu should fix the problem on 8.10 since its a bug and not a new version.

Alen,

Please file a separate bug report for your crashing issue, as described at <https://help.ubuntu.com/community/ReportingBugs>. Any such crashes would appear to be an unrelated bug.

same on 9.04, i just installed likewise-open (still version 4 though)

I was worried crazy!

So uninstalling fixed the problem for me.

I think I am seeing this issue on Karmic.
I have likwise installed, and I am unable to change my password.

Using "users-admin"->"Properties"->"Change Password" locks up when authenticating, with the message"Checking Password".
Using "passwd" gives me "passwd: Authentication token manipulation error".

Nikolaj,

Do this on your console and paste the output here.
This must be resolved on Karmic fore sure.

Regards,
Jakob

2009/12/1 Nikolaj Sheller <email address hidden>

> I think I am seeing this issue on Karmic.
> I have likwise installed, and I am unable to change my password.
>
> Using "users-admin"->"Properties"->"Change Password" locks up when
> authenticating, with the message"Checking Password".
> Using "passwd" gives me "passwd: Authentication token manipulation error".
>
> --
> likewise-open prevents local passwords from being changed
> https://bugs.launchpad.net/bugs/302026
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Is this likewise open 4 or 5?

On 12/1/09, Jakob <email address hidden> wrote:
> Nikolaj,
>
> Do this on your console and paste the output here.
> This must be resolved on Karmic fore sure.
>
> Regards,
> Jakob
>
> 2009/12/1 Nikolaj Sheller <email address hidden>
>
>> I think I am seeing this issue on Karmic.
>> I have likwise installed, and I am unable to change my password.
>>
>> Using "users-admin"->"Properties"->"Change Password" locks up when
>> authenticating, with the message"Checking Password".
>> Using "passwd" gives me "passwd: Authentication token manipulation error".
>>
>> --
>> likewise-open prevents local passwords from being changed
>> https://bugs.launchpad.net/bugs/302026
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>
> --
> likewise-open prevents local passwords from being changed
> https://bugs.launchpad.net/bugs/302026
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Sent from my mobile device

It must be 4 as the version 5 in the karmic repository can't be joined into
a domain due to a kerberos change.

5.4 direct from Likewise works though (in a vm).

2009/12/2 Steve Romanow <email address hidden>

> Is this likewise open 4 or 5?
>
> On 12/1/09, Jakob <email address hidden> wrote:
> > Nikolaj,
> >
> > Do this on your console and paste the output here.
> > This must be resolved on Karmic fore sure.
> >
> > Regards,
> > Jakob
> >
> > 2009/12/1 Nikolaj Sheller <email address hidden>
> >
> >> I think I am seeing this issue on Karmic.
> >> I have likwise installed, and I am unable to change my password.
> >>
> >> Using "users-admin"->"Properties"->"Change Password" locks up when
> >> authenticating, with the message"Checking Password".
> >> Using "passwd" gives me "passwd: Authentication token manipulation
> error".
> >>
> >> --
> >> likewise-open prevents local passwords from being changed
> >> https://bugs.launchpad.net/bugs/302026
> >> You received this bug notification because you are a direct subscriber
> >> of the bug.
> >>
> >
> > --
> > likewise-open prevents local passwords from being changed
> > https://bugs.launchpad.net/bugs/302026
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
>
> --
> Sent from my mobile device
>
> --
> likewise-open prevents local passwords from being changed
> https://bugs.launchpad.net/bugs/302026
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I locked myself out of a machine once playing with Likewise so always make
sure you keep a session open while testing and verify with ssh you can get
in before you log out of that console.

Tested and confirmed working in the upcoming 5.4.0.42111 packages for Lucid.

Hi guys, I'm having this problem on several ubuntu 9.04 workstations using likewise 5 package from likewise directly. I cannot do sudo anymore after an upgrade. This workstations are in production and I'm out of ideas, could somebody explain to me what's the workarround to this issue? Is it possible to repair the main local user authentication? I have asked for help in likewise forums but I'm running short on time.

Thanks!

This doesn't seem to have any real relevance to the original bug report.

You installed packages from likewise.com right? And then upgraded the ubuntu 9.04 workstation to a newer ubuntu release? In any case, boot into single user mode and run the following as root:

  $ /opt/likewise/bin/domanjoin-cli configure --disable pam
  $ pam-auth-update -f (and accept the defaults)

When you are comfortable with the upgraded system, you can run the following to re-enable the pam_lsass module.

  $ /opt/likewise/bin/domanjoin-cli configure --disable pam

Please note that I realize this is not very Ubuntu-like to modify pam files directly. There's an upstream bug report already. The native ubuntu packages (in main/universe) do the right thing however.

I ran into this on 9.10 server and I am using the likewise that was within the repositories. Unfortunately this needs to be fixed as within server environments DNS is usually disabled for those machines outside of the domain. Thus joining them to the domain is relatively routine.

Disabling PAM only disables user auth against AD is that correct? If so the machine should stay within the domain even though user auth is disabled. Can you confirm?

Yes, disabling PAM only disables the user auth component.

LinkedIn
------------

Bug,

I'd like to add you to my professional network on LinkedIn.

- Steve

Steve Romanow
Application Developer
Greater Grand Rapids, Michigan Area

Confirm that you know Steve Romanow:
https://www.linkedin.com/e/-gu3atb-hbfa3au3-3w/isd/10241135541/Ysp8aeBt/?hs=false&tok=0w6CA8zFYT7BA1

--
You are receiving Invitation to Connect emails. Click to unsubscribe:
http://www.linkedin.com/e/-gu3atb-hbfa3au3-3w/X4O0Z07lhK6qeJExr8nMT7Ul3JqFYzSNdY0iKae/goo/302026%40bugs%2Elaunchpad%2Enet/20061/I3406801645_1/?hs=false&tok=1aaHYtqSoT7BA1

(c) 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.