On 09/19/2012 01:32 PM, Dmitri Pal wrote:
On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
So, commenting out:
password    requisite     pam_cracklib.so try_first_pass retry=3 type= 
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

Caused users updating their passwords using ssh to get:

[ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Permission denied, please try again.
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Password expired. Change your password now.
Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ykatabam.
Current Password:
Password change failed. Server message: Password change failed
passwd: Authentication token manipulation error
Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Is that to say that you need at least 1 password requisite? That instead of 
commenting out the password requisite pam_cracklib.so, I should have replaced 
it with something?
What did /var/log/secure have to say?

The message sounds to me like it's coming from the server..
Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.

BTW if required character classes == 1 there is nothing to enforce, because each (non-empty) password has at least one character class.

You can check if there is some difference between 0 and 1.

Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to