On 09/19/2012 02:56 AM, Jakub Hrozek wrote: > On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: >> So, commenting out: >> password requisite pam_cracklib.so try_first_pass retry=3 type= >> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 >> >> Caused users updating their passwords using ssh to get: >> >> [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com >> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: >> Permission denied, please try again. >> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: >> Password expired. Change your password now. >> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user ykatabam. >> Current Password: >> Password change failed. Server message: Password change failed >> passwd: Authentication token manipulation error >> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. >> >> Is that to say that you need at least 1 password requisite? That instead of >> commenting out the password requisite pam_cracklib.so, I should have >> replaced it with something? > What did /var/log/secure have to say? > > The message sounds to me like it's coming from the server.. Please look at the krb5kdc.log on the server. This is the server side message. Most likely it did not like the password because it did not meet the policy. I wonder whether there is a bug in case password policy has 0 for the required character classes. Trying different passwords and changing the policy while watching the log will give you more answers.
> > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users