Am 20.11.2012 09:39, schrieb Sumit Bose:
> On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote:
>> Hello sssd list.
>> My problem is that a with sssd configured ubuntu 12.04 client cannot
>> change a password that has to be set a new for IPA.
>> As I've learned from the IPA list there are indications that sssd might
>> be the problem in this case.
>>
>> With logging=10 in sssd.conf I see the following logs by sssd:
>>
>> When a user password expires the users are requested to change their
>> password (in the login screen).
>> They'll type their old password and then repeat it as part of the change
>> process. Nevertheless - although the password matches - they are not
>> issued to input their new password but get the error message that this
>> action could not be performed (Password change failed. Server message..).
> I guess it is you PAM configuration. If you use a client side password
> checker, e.g. pam_cracklib or pam_pwquality.so,  in the password section
> of you PAM configuration you have to add the 'use_authtok' option to
> pam_sss in the section. If you do not use any checker you must not use
> 'use_authtok' here because sssd would expect a password to be available
> on the PAM stack but no module sets it.
>
> From your description I guess you do not have a client-side password
> checker but 'use_authtok' is set. If this is the case, please remove
> 'use_authtok' and try again.
>
> HTH
>
> bye,
> Sumit
> _______________________________________________
> sssd-users mailing list
> sssd-us...@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Hi Sumit,
thanks very much.
I replaced the line
/etc/pam.d/common-password:
password sufficient pam_sss.so use_authtok
with
password sufficient pam_sss.so
restarted lightdm and the password change succeeded like a charm.

Regards Marc.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to