Change local password as root after configuring for MS-AD Kerberos+LDAP

Solution 1:

In your /etc/pam.d/common-password , change the minimum_uid in your first line to something bigger than 1000, example:

password        [success=3 default=ignore]      pam_krb5.so minimum_uid=10000

That worked for me. This is what you should see in /var/log/auth.log after changing the password for that user as root:

Dec 26 12:34:36 3.8.0-29-generic passwd[22667]: pam_unix(passwd:chauthtok): password changed for service1

Solution 2:

@Ameer's answer about editing common-password is correct. But: when you edit the uid limits of PAM in general, don't forget to edit all the affected PAM files! If you search for krb5 in /etc/pam.d, you should find all the relevant files:

root@server:/etc/pam.d# grep -R krb5 .
./common-auth:auth  [success=2 default=ignore]  pam_krb5.so minimum_uid=10000
./common-session-noninteractive:session optional            pam_krb5.so minimum_uid=10000
./common-session:session    optional            pam_krb5.so minimum_uid=10000
./common-account:account    required            pam_krb5.so minimum_uid=10000
./common-password:password  [success=2 default=ignore]  pam_krb5.so minimum_uid=10000

If, for example, you've only edited common-auth, but not common-password, authentication works with local accounts, but passwd still asks for the current kerberos password! (Which is exactly the mistake that led me here.)