Hey, sorry, I'm a little confused about all the pieces. 

I want to let my users reset expired password using ssh. I would really like 
them to be able to use the same password every time, and not worry if that 
password is "icecream". 

>From what I can tell, sshd_config turns the authentication over to PAM, which 
>uses sssd(?) to get information from IPA.

Is it true this line in /etc/pam.d/password-auth was enforcing the stringent 
requirements, and not IPA? 
password    requisite     pam_cracklib.so

I've noticed that if I comment out that line, authentication fails because none 
of my IPA users are in /etc/passwd. The configuration also gets reset to the 
default when I restart sssd.

Can anyone give me a suggestion that will:
- allow my users to use any password they want, with the least possible 
restrictions, 
- reset expired passwords with SSH?

Here is a selection from krb5kdc.log (followed by the corresponding section of 
/var/log/secure):

Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Password has expired
Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111377, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
preauth (timestamp) verify failure: Decrypt integrity check failed
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: PREAUTH_FAILED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Decrypt integrity check failed
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Password has expired
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111435, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111437, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Additional pre-authentication required
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, 
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com 
for krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, 
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com 
for ldap/dns1.ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
host/dns1.ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Additional pre-authentication required
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, 
etypes {rep=18 tkt=18 ses=18}, 
host/dns1.ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, 
etypes {rep=18 tkt=18 ses=18}, 
host/dns1.ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com for 
ldap/dns1.ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Password has expired
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111528, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111528, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Additional pre-authentication required
Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111529, 
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com 
for krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111529, 
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com 
for ldap/dns1.ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Password has expired
Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111558, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com, 
Additional pre-authentication required
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, 
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com 
for krbtgt/ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, 
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com 
for ldap/dns1.ecs-cloud.lab.eng.bne.redhat....@ecs-cloud.lab.eng.bne.redhat.com

And here is the corresponding section in /var/log/secure:

Sep 20 13:22:57 dns1 sshd[12308]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com  user=timbo
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): system info: [Password 
has expired]
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): received for user timbo: 
12 (Authentication token is no longer valid; new one required)
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 20 13:22:57 dns1 sshd[12308]: Accepted password for timbo from 10.64.0.171 
port 55407 ssh2
Sep 20 13:22:57 dns1 sshd[12308]: pam_unix(sshd:session): session opened for 
user timbo by (uid=0)
Sep 20 13:22:57 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:23:03 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Decrypt 
integrity check failed]
Sep 20 13:23:03 dns1 passwd: pam_sss(passwd:chauthtok): Authentication failed 
for user timbo: 4 (System error)
Sep 20 13:23:05 dns1 sshd[12311]: Received disconnect from 10.64.0.171: 11: 
disconnected by user
Sep 20 13:23:05 dns1 sshd[12308]: pam_unix(sshd:session): session closed for 
user timbo
Sep 20 13:23:55 dns1 sshd[12314]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com  user=timbo
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): system info: [Password 
has expired]
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): received for user timbo: 
12 (Authentication token is no longer valid; new one required)
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 20 13:23:55 dns1 sshd[12314]: Accepted password for timbo from 10.64.0.171 
port 55413 ssh2
Sep 20 13:23:55 dns1 sshd[12314]: pam_unix(sshd:session): session opened for 
user timbo by (uid=0)
Sep 20 13:23:55 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:24:14 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic 
error (see e-text)]
Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): User info message: 
Password change failed. Server message: Password change failed
Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed 
for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:24:17 dns1 sshd[12317]: Received disconnect from 10.64.0.171: 11: 
disconnected by user
Sep 20 13:24:17 dns1 sshd[12314]: pam_unix(sshd:session): session closed for 
user timbo
Sep 20 13:25:02 dns1 sshd[12279]: Received signal 15; terminating.
Sep 20 13:25:02 dns1 sshd[12360]: Server listening on 0.0.0.0 port 22.
Sep 20 13:25:02 dns1 sshd[12360]: Server listening on :: port 22.
Sep 20 13:25:25 dns1 sshd[12362]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com  user=timbo
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): system info: [Password 
has expired]
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): received for user timbo: 
12 (Authentication token is no longer valid; new one required)
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 20 13:25:26 dns1 sshd[12362]: Accepted password for timbo from 10.64.0.171 
port 55426 ssh2
Sep 20 13:25:26 dns1 sshd[12362]: pam_unix(sshd:session): session opened for 
user timbo by (uid=0)
Sep 20 13:25:26 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:25:28 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic 
error (see e-text)]
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): User info message: 
Password change failed. Server message: Password change failed
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed 
for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:25:31 dns1 sshd[12366]: Received disconnect from 10.64.0.171: 11: 
disconnected by user
Sep 20 13:25:31 dns1 sshd[12362]: pam_unix(sshd:session): session closed for 
user timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com  user=timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): system info: [Password 
has expired]
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): received for user timbo: 
12 (Authentication token is no longer valid; new one required)
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 20 13:25:58 dns1 sshd[12371]: Accepted password for timbo from 10.64.0.171 
port 55429 ssh2
Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:session): session opened for 
user timbo by (uid=0)
Sep 20 13:25:58 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:26:01 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic 
error (see e-text)]
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): User info message: 
Password change failed. Server message: Password change failed
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed 
for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:26:04 dns1 sshd[12374]: Received disconnect from 10.64.0.171: 11: 
disconnected by user
Sep 20 13:26:04 dns1 sshd[12371]: pam_unix(sshd:session): session closed for 
user timbo

Any ideas?


Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

----- Original Message -----
> From: "Petr Spacek" <pspa...@redhat.com>
> To: freeipa-users@redhat.com
> Sent: Wednesday, September 19, 2012 9:56:21 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> On 09/19/2012 01:32 PM, Dmitri Pal wrote:
> > On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
> >> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> >>> So, commenting out:
> >>> password    requisite     pam_cracklib.so try_first_pass retry=3
> >>> type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> >>>
> >>> Caused users updating their passwords using ssh to get:
> >>>
> >>> [ykatabam@ykatabam ~]$ ssh
> >>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
> >>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> >>> Permission denied, please try again.
> >>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> >>> Password expired. Change your password now.
> >>> Last login: Fri Sep 14 10:20:49 2012 from
> >>> vpn1-48-53.bne.redhat.com
> >>> WARNING: Your password has expired.
> >>> You must change your password now and login again!
> >>> Changing password for user ykatabam.
> >>> Current Password:
> >>> Password change failed. Server message: Password change failed
> >>> passwd: Authentication token manipulation error
> >>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> >>>
> >>> Is that to say that you need at least 1 password requisite? That
> >>> instead of commenting out the password requisite
> >>> pam_cracklib.so, I should have replaced it with something?
> >> What did /var/log/secure have to say?
> >>
> >> The message sounds to me like it's coming from the server..
> > Please look at the krb5kdc.log on the server.
> > This is the server side message.
> > Most likely it did not like the password because it did not meet
> > the policy.
> > I wonder whether there is a bug in case password policy has 0 for
> > the
> > required character classes.
> > Trying different passwords and changing the policy while watching
> > the
> > log will give you more answers.
> 
> BTW if required character classes == 1 there is nothing to enforce,
> because
> each (non-empty) password has at least one character class.
> 
> You can check if there is some difference between 0 and 1.
> 
> Petr^2 Spacek
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to