A few days ago one of our users reported that they couldn’t change their password. The error coming out of the passwd command was confusing in itself – it said ‘bad old password’, or similar, which turns out to be a bug in our wrapper script.
After some investigation we discovered that neither kadmin or kpasswd worked:
tdb [~] % kadmin -p tdb/admin Enter Password: kadmin: Operation failed for unspecified reason while initializing kadmin interface
tdb [~] % kpasswd kpasswd: Changing password for tdb. Old password: kpasswd: Cannot establish a session with the Kerberos administrative server for realm CS.UKC.AC.UK. Operation failed for unspecified reason.
The completely unhelpful bit there is the “failed for unspecified reason” error message. How are you meant to even begin debugging that? After a couple of hours digging I logged the call with Sun.
It turns out that there is a known bug:
Document ID:6410919
Title:Patch 112908-24 will cause the kadmin -p kws/admin to exit with a error message
The solution presented was to remove patch 112908-24. This time I’m willing to do that, but from past experience I’d like to see them actually fix the problem rather than just back it out. Or, at the very least, remove the patch from cluster patches. Otherwise in 6 months time I’m left staring at the same problem.
What I’ve found most interesting in all this is that it took the best part of a month for anyone to notice passwords couldn’t be changed 
Related posts:
- Connecting to an LDAP server using Kerberos authentication in Perl It took me a while to figure this code out, and there seemed to be a lack of complete examples on the web to do exactly this, so I thought I’d document it. I needed to connect to an LDAP server using a Kerberos principal for authentication from within a Perl script. This meant that it [...]...
- “Any idea WTF is going on?” “Any idea WTF is going on?” is what I read on my phone as I stumbled out of bed this morning. It was from one of my colleagues who, for some reason I can’t understand, seems to like getting in to work at a ridiculous hour in the morning. Still half asleep I plodded through to [...]...
- Upgrading Debian If you’ve been following my blog you’ll know that I’ve been working on a new filestore project at work for a while now. After getting things working nicely on our Solaris machines, and finally moving my home directory over, I decided to tackle our Debian server. It quickly became apparent that I’d need to upgrade [...]...
- A T3 goes bang We have a fairly long standing hatred of the Sun T3 storage arrays, and last night they once again proved why we feel that way. At around 7pm last night I noticed a lot of SCSI errors on myrtle (our staff and research Solaris server) which I quickly tracked down to a problem with one of the attached [...]...
- PAM – Locking out accounts when using external authentication A look at how PAM modules on different operating systems can be used to lock out accounts when an external authentication provider is used....