On 11/19/2012 11:31 AM, Marc Grimme wrote:
> This is what the kerberos (kadmin.log) shows on the relevant IPA server.
> Nov 19 17:29:54 axinfra02-1.cl.atix kadmind[18851](Error): password
> quality module empty rejected password for tu...@cl.atix: Empty
> passwords are not allowed
> Nov 19 17:29:54 axinfra02-1.cl.atix kadmind[18851](Notice): chpw request
> from for tu...@cl.atix: Password is too short
> I could only enter the old password the new one was never queried.
> Any idea?

Please cross post to the sssd-users. It seems that the server receives
an empty password. I do not know if one can enable a trace that would
show what password is actually sent.
You might need to have a special build of SSSD to see what SSSD is
actually sending.
Anyways ask on SSSD list, you might get some good hints.


> Thanks
> Marc.
> Am 19.11.2012 16:57, schrieb Dmitri Pal:
>> On 11/19/2012 04:37 AM, Marc Grimme wrote:
>>> (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943]]]]
>>> [krb5_child_setup] (0x4000): Not using FAST.
>>> (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943]]]] [changepw_child]
>>> (0x0020): krb5_change_password failed [2][Server error].
>>> (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943]]]] [changepw_child]
>>> (0x0020): krb5_change_password failed [2][Password not changed.].
>> Have you looked at the server Kerberos log?
>> Do you see an attempt there?
>> If not there might be a problem accessing kadmin process on the server.
>> Might be a firewall issue then.
>> But let us start with the server side.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to