So my users weren’t able to use the passwd command after I implemented LDAP auth on a specific client.

Here’s a quick fix to /etc/pam.d/common-password

password [success=1 userunknown=ignore default=die] useauthtok tryfirst_pass

Needs to become…..

password [success=1 userunknown=ignore default=die] tryfirstpass

Basically, removing the useauthtok enables the tryfirst*pass to successfully get processed (i believe, more) *and therefore the passwd command can then properly check the first password you type unlike the error users got before:

$ passwd Enter login(LDAP) password: passwd: Authentication information cannot be recovered passwd: password unchanged

Blog Logo

Mario Loria




Because gets old after a while.

Back to Overview