Re: Changing password in Kerberos environment

[Ondrej Holy <oholy redhat com>]

Hi Yvan,

----- Original Message -----
> Hi Ondrej,
>
> Thanks for your informative answer.
>
> So if I understand well, changing password with the GUI is not possible
> for now.
>
> It is only my non-expert thoughts and I don't blame accountsservice
> developpers, but it is strange to me that it parses /etc/passwd and not
> the result of the "getent passwd" command.

I'm not also expert on accountsservice, this was just my ideas, but it seems that they are really parsing 
/etc/passwd directly (src/daemon.c:entry_generator_fgetpwent) and set the account as locked if password isn't 
set or contains "!" (src/user.c:user_update_from_pwent). You can file the bug report for accountsservice, see:
http://freedesktop.org/wiki/Software/AccountsService/

> Similarly, I can not understand why g-c-c is not just calling the
> "passwd" command.

It is just calling the passwd, but it has to parse its output to interact and show results in gui. But there 
is a problem that different pam plugins show different output, see:

$ passwd
Changing password for user oholy.
Changing password for oholy.
(current) UNIX password: <WRONG_PASSWORD>
Current Password: <WRONG_PASSWORD>
Kerberos 5 Password: <WRONG_PASSWORD>
...

Regards

Ondrej


> I still have many things to learn...
>
> Regards,
> Yvan
>
> Le mardi 14 avril 2015 à 08:05 -0400, Ondrej Holy a écrit :
> > Hi Yvan,
> >
> > I suspect you don't use "enterprise accounts" (using realmd), but you have
> > reconfigured pam and use something like pam_krb5.so instead of pam_unix.so.
> > So you don't have configured your unix password (if it is possible). I
> > pretend
> > accountsservice doesn't support such manual configuration, thus it returns
> > that the account is disabled, because /etc/passwd doesn't contain necessary
> > entries probably. However it still won't work in g-c-c if it would be fixed
> > in accountsservice, because there is parser for passwd which isn't also
> > work
> > with another pam plugins...
> >
> > Recommended way is using enterprise accounts, but still g-c-c doesn't allow
> > you to change the password, because there isn't realmd api for it...
> >
> > Regards
> >
> > Ondrej
> >
> > ----- Original Message -----
> > > Hi everybody,
> > >
> > > I just noticed that I can't change my password using the Gnome Control
> > > Center : next to "Password" it is written in gray "disabled account".
> > >
> > > I am using Kerberos authentication (with my home on an AFS file system)
> > > so I think is Kerberos related. My account is not disabled.
> > >
> > > I got the attached log with "$ gnome-control-center user-accounts
> > > --verbose", but it is not helpfull for me.
> > >
> > > Would you have an idea where to look for ?
> > >
> > > Thanks very much,
> > > Yvan
> > >
> > >
> > > _______________________________________________
> > > gnomecc-list mailing list
> > > gnomecc-list gnome org
> > > https://mail.gnome.org/mailman/listinfo/gnomecc-list