on related problems: I opened a bug regarding messages given to user on lightdm: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
seems that pam interaction with user is not correctly handled by graphical logins. ----- Original Message ----- De: "Marc Grimme" <[email protected]> A: "End-user discussions about the System Security Services Daemon" <[email protected]> CC: [email protected] Enviat: dimarts, 20 de novembre de 2012 10:25:56 Assumpte: Re: [SSSD-users] [Freeipa-users] Problem with password reset on ubuntu 12.04 (lightdm) Am 20.11.2012 09:39, schrieb Sumit Bose: > On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote: >> Hello sssd list. >> My problem is that a with sssd configured ubuntu 12.04 client cannot >> change a password that has to be set a new for IPA. >> As I've learned from the IPA list there are indications that sssd might >> be the problem in this case. >> >> With logging=10 in sssd.conf I see the following logs by sssd: >> >> When a user password expires the users are requested to change their >> password (in the login screen). >> They'll type their old password and then repeat it as part of the change >> process. Nevertheless - although the password matches - they are not >> issued to input their new password but get the error message that this >> action could not be performed (Password change failed. Server message..). > I guess it is you PAM configuration. If you use a client side password > checker, e.g. pam_cracklib or pam_pwquality.so, in the password section > of you PAM configuration you have to add the 'use_authtok' option to > pam_sss in the section. If you do not use any checker you must not use > 'use_authtok' here because sssd would expect a password to be available > on the PAM stack but no module sets it. > > From your description I guess you do not have a client-side password > checker but 'use_authtok' is set. If this is the case, please remove > 'use_authtok' and try again. > > HTH > > bye, > Sumit > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users Hi Sumit, thanks very much. I replaced the line /etc/pam.d/common-password: password sufficient pam_sss.so use_authtok with password sufficient pam_sss.so restarted lightdm and the password change succeeded like a charm. Regards Marc. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
