15

When I issue a command to change my password like this:

sudo passwd huahsin

The system prompt me:

Current Kerberos password:

I don't know what I have done to the system configuration, how could I eliminate this Kerberos thing when I change my password?

huahsin68
  • 1,847
  • 8
  • 22
  • 25
  • What's the output of this command show for `passwd`: `grep passwd /etc/nsswitch.conf`. I think you've changed your NS resolver setup. – slm Feb 20 '14 at 02:38
  • it shows `compat lsass`. What does this means? – huahsin68 Feb 20 '14 at 02:40
  • That means it will use an Active Directory server to authenticate. What did you do to this system? I think it makes use of a LikeWise product. – slm Feb 20 '14 at 02:44
  • Lsass appears to be a LikeWise module: http://blog.technotesdesk.com/how-to-join-linux-server-into-active-directory-on-sbs-2008-network/ – slm Feb 20 '14 at 02:47
  • Yes, I did install likewise thing in my system, should I uninstall it? Can I just disable it? – huahsin68 Feb 20 '14 at 02:50
  • I think you might be able to just change the `/etc/nsswitch.conf` for the time being. The line can be simply this: `passwd: files`. This will only use your local files (`/etc/passwd` & `/etc/shadow`) for passwords. – slm Feb 20 '14 at 02:51
  • 1
    The reason why it asks for a Kerberos password is that it thinks this user should be managed by Kerberos. And the reason why it thinks so is the minimum user id set in pam.d. Find this line `pam_krb5.so minimum_uid=1000` in /etc/pam.d and change it to a higher number not interfering with local users. – facetus Dec 13 '17 at 19:37

2 Answers2

24

A simple command (workaround?) that worked for me:

sudo -s
pam-auth-update
passwd <yourusername>

During pam-auth-update, use the space bar to disable Kerberos authentification.

StackzOfZtuff
  • 297
  • 2
  • 9
coyotte508
  • 465
  • 4
  • 7
  • After typing shell above in my environment, `pam-auth-update` was about turning off `kerberos pam stack`. I leave a note for future reader. thanks. – ruseel Nov 12 '18 at 05:23
3

This issue seems likely to be a problem with the installation of a Active Directory (AD) integration product for authentication called LikeWise. This product is no longer available, to my knowledge.

You can read more about it her in this articled titled: How to join Linux server into Active Directory on SBS 2008 network. It's also listed here in the Wikipedia page on products that support SMB as well as here on the Active Directory Wikipedia page.

Here are two methods for identifying this product's been setup.

1. Lsass error messages

20111006152006:ERROR:Lsass Error [ERROR_BAD_NET_NAME] Network name not found.. Failure to lookup a domain name ending in “.local” may be the result of configuring the local system’s hostname resolution (or equivalent) to use Multi-cast DN

2. Modified nsswitch.conf

And these modifications to your /etc/nsswitch.conf file.

passwd: compat winbind lsass
group: compat winbind lsass
shadow: compat

Working around?

You should be able to safely leave it installed and change your Name Service Switch configuration file (nsswitch.conf) so that it uses just your local files for authentication.

passwd: files
group:  files
shadow: files

I also dug up this Launchpad bug that covers uninstalling LikeWise-open. There are some things that it doesn't do to revert your system when you uninstall it. They're covered in this bug along with how to manually undo the install.

slm
  • 363,520
  • 117
  • 767
  • 871
  • Am I require to restart any service? – huahsin68 Feb 20 '14 at 03:08
  • @huahsin68 - No the changes should be instant. Did it not work? – slm Feb 20 '14 at 03:12
  • Nope, the Kerbeors thing still persist. Any other solution? – huahsin68 Feb 20 '14 at 03:19
  • @huahsin68 - see the launchpad thread I linked to. Also you need to do more then just `passwd` changes to `nsswitch.conf`. – slm Feb 20 '14 at 03:20
  • the `pam` controls are changed as well, which is where `passwd` is getting the kerberos modules. – Ricky Feb 20 '14 at 04:55
  • @RickyBeam - ah that makes sense, I've never used Likewise so I'm not at all familiar with how it winds itself into your system. I'd probably just remove it unless you had a burning reason to keep it. – slm Feb 20 '14 at 05:07
  • 1
    @slm As I read on the link you gave, I am require to leave the domain from LikeWise. And I did try it, now the kerberos thing has gone. Great help! – huahsin68 Feb 20 '14 at 05:38
  • @huahsin68 - Great! Glad that solved your problem. – slm Feb 20 '14 at 05:44