on related problems: 

I opened a bug regarding messages given to user on lightdm: 
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013 

seems that pam interaction with user is not correctly handled by graphical 
logins. 

----- Original Message -----
De: "Marc Grimme" <gri...@atix.de> 
A: "End-user discussions about the System Security Services Daemon" 
<sssd-us...@lists.fedorahosted.org> 
CC: freeipa-users@redhat.com 
Enviat: dimarts, 20 de novembre de 2012 10:25:56 
Assumpte: Re: [SSSD-users] [Freeipa-users] Problem with password reset on 
ubuntu 12.04 (lightdm) 

Am 20.11.2012 09:39, schrieb Sumit Bose: 
> On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote: 
>> Hello sssd list. 
>> My problem is that a with sssd configured ubuntu 12.04 client cannot 
>> change a password that has to be set a new for IPA. 
>> As I've learned from the IPA list there are indications that sssd might 
>> be the problem in this case. 
>> 
>> With logging=10 in sssd.conf I see the following logs by sssd: 
>> 
>> When a user password expires the users are requested to change their 
>> password (in the login screen). 
>> They'll type their old password and then repeat it as part of the change 
>> process. Nevertheless - although the password matches - they are not 
>> issued to input their new password but get the error message that this 
>> action could not be performed (Password change failed. Server message..). 
> I guess it is you PAM configuration. If you use a client side password 
> checker, e.g. pam_cracklib or pam_pwquality.so, in the password section 
> of you PAM configuration you have to add the 'use_authtok' option to 
> pam_sss in the section. If you do not use any checker you must not use 
> 'use_authtok' here because sssd would expect a password to be available 
> on the PAM stack but no module sets it. 
> 
> From your description I guess you do not have a client-side password 
> checker but 'use_authtok' is set. If this is the case, please remove 
> 'use_authtok' and try again. 
> 
> HTH 
> 
> bye, 
> Sumit 
> _______________________________________________ 
> sssd-users mailing list 
> sssd-us...@lists.fedorahosted.org 
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users 

Hi Sumit, 
thanks very much. 
I replaced the line 
/etc/pam.d/common-password: 
password sufficient pam_sss.so use_authtok 
with 
password sufficient pam_sss.so 
restarted lightdm and the password change succeeded like a charm. 

Regards Marc. 
_______________________________________________ 
sssd-users mailing list 
sssd-us...@lists.fedorahosted.org 
https://lists.fedorahosted.org/mailman/listinfo/sssd-users 
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to