On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote: > Hello sssd list. > My problem is that a with sssd configured ubuntu 12.04 client cannot > change a password that has to be set a new for IPA. > As I've learned from the IPA list there are indications that sssd might > be the problem in this case. > > With logging=10 in sssd.conf I see the following logs by sssd: > > When a user password expires the users are requested to change their > password (in the login screen). > They'll type their old password and then repeat it as part of the change > process. Nevertheless - although the password matches - they are not > issued to input their new password but get the error message that this > action could not be performed (Password change failed. Server message..).
I guess it is you PAM configuration. If you use a client side password checker, e.g. pam_cracklib or pam_pwquality.so, in the password section of you PAM configuration you have to add the 'use_authtok' option to pam_sss in the section. If you do not use any checker you must not use 'use_authtok' here because sssd would expect a password to be available on the PAM stack but no module sets it. >From your description I guess you do not have a client-side password checker but 'use_authtok' is set. If this is the case, please remove 'use_authtok' and try again. HTH bye, Sumit _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users