On 11/19/2012 11:31 AM, Marc Grimme wrote:
> This is what the kerberos (kadmin.log) shows on the relevant IPA server.
> Nov 19 17:29:54 axinfra02-1.cl.atix kadmind[18851](Error): password
> quality module empty rejected password for tu...@cl.atix: Empty
> passwords are not allowed
> Nov 19 17:29:54 axinfra02-1.cl.atix kadmind[18851](Notice): chpw request
> from 192.168.3.231 for tu...@cl.atix: Password is too short
>
> I could only enter the old password the new one was never queried.
> Any idea?

Please cross post to the sssd-users. It seems that the server receives
an empty password. I do not know if one can enable a trace that would
show what password is actually sent.
You might need to have a special build of SSSD to see what SSSD is
actually sending.
Anyways ask on SSSD list, you might get some good hints.

Thanks
Dmitri

> Thanks
> Marc.
>
> Am 19.11.2012 16:57, schrieb Dmitri Pal:
>> On 11/19/2012 04:37 AM, Marc Grimme wrote:
>>> (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943]]]]
>>> [krb5_child_setup] (0x4000): Not using FAST.
>>> (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943]]]] [changepw_child]
>>> (0x0020): krb5_change_password failed [2][Server error].
>>> (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943]]]] [changepw_child]
>>> (0x0020): krb5_change_password failed [2][Password not changed.].
>> Have you looked at the server Kerberos log?
>> Do you see an attempt there?
>> If not there might be a problem accessing kadmin process on the server.
>> Might be a firewall issue then.
>> But let us start with the server side.
>>
>>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to