On 20.11.2012 11:25, Marc Grimme wrote:
Am 20.11.2012 09:39, schrieb Sumit Bose:
On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote:
Hello sssd list.
My problem is that a with sssd configured ubuntu 12.04 client cannot
change a password that has to be set a new for IPA.
As I've learned from the IPA list there are indications that sssd might
be the problem in this case.

With logging=10 in sssd.conf I see the following logs by sssd:

When a user password expires the users are requested to change their
password (in the login screen).
They'll type their old password and then repeat it as part of the change
process. Nevertheless - although the password matches - they are not
issued to input their new password but get the error message that this
action could not be performed (Password change failed. Server message..).
I guess it is you PAM configuration. If you use a client side password
checker, e.g. pam_cracklib or pam_pwquality.so,  in the password section
of you PAM configuration you have to add the 'use_authtok' option to
pam_sss in the section. If you do not use any checker you must not use
'use_authtok' here because sssd would expect a password to be available
on the PAM stack but no module sets it.

 From your description I guess you do not have a client-side password
checker but 'use_authtok' is set. If this is the case, please remove
'use_authtok' and try again.

HTH

bye,
Sumit
_______________________________________________
sssd-users mailing list
sssd-us...@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Hi Sumit,
thanks very much.
I replaced the line
/etc/pam.d/common-password:
password sufficient pam_sss.so use_authtok
with
password sufficient pam_sss.so
restarted lightdm and the password change succeeded like a charm.

Right, the next upload to 12.04 will drop use_authtok from the pam config. The pam-auth-update tool unfortunately doesn't currently support the use case that sssd needs, where on the pam auth stack it should be with a lower priority than pam_unix, but on password stack it should be on top (or after pam_cracklib). That'll get fixed later..


--
t

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to