On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
>> So, commenting out: 
>> password    requisite     pam_cracklib.so try_first_pass retry=3 type= 
>> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
>> Caused users updating their passwords using ssh to get:
>> [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Permission denied, please try again.
>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Password expired. Change your password now.
>> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
>> WARNING: Your password has expired.
>> You must change your password now and login again!
>> Changing password for user ykatabam.
>> Current Password:
>> Password change failed. Server message: Password change failed
>> passwd: Authentication token manipulation error
>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
>> Is that to say that you need at least 1 password requisite? That instead of 
>> commenting out the password requisite pam_cracklib.so, I should have 
>> replaced it with something?
> What did /var/log/secure have to say?
> The message sounds to me like it's coming from the server..
Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to