[SSSD-users] Problem with transition an user credentials through password pam-stack

Fri, 27 Nov 2020 06:01:20 -0800 

Hello,

i would be grateful if somebody could get any advice.

My stuff and enviroment:

I have this configs on the top of all main pam-configs(just for test):
password [default=die success=ok]   my_custom_pam.so
password [default=die success=done] pam_sss.so use_authtok use_first_pass

my_custom_pam.so includes two simple functions which provide correct test user 
credentials:

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, 
const char **argv) {
    pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6");
    return PAM_SUCCESS;
}

PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const 
char **argv) {
    pam_set_item(pamh, PAM_OLDAUTHTOK, "q1w2e3r4t5y6");
    pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6");
    return PAM_SUCCESS;
}

Initially i worked with FreeIpa client. According to FreeIpa policy a new user 
should change his password during first login. 
What i have is successfull auth stage, but pam_sss can't change the pass due to 
error server response.

...
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): [DEBUG] Debug: 1, Slot: 0
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): PAM_SUCCESS
Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): authentication failure; 
logname= uid=1000 euid=0 tty=/dev/pts/6 ruser=user rhost= user=test_u...@dc.test
Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): received for user 
test_u...@dc.test: 12
Nov 27 08:35:04 test su[68635]: pam_sss(su:account): User info message: 
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): [DEBUG] Debug: 1, 
Slot: 0
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PRELIM
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): EXPIRED
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PAM_SUCCESS
Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): User info message: Old 
password not accepted.
Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): Authentication failed 
for user test_u...@dc.test: 4 (System error)
...

Next time i tried to make experiment in Active Directory and i got the same 
result. The server can't accept user credentials.

I can't go through chauthtok prelim step because of "old user password is not 
accepted" and i can't get the reason why it happens.
Moveover if i remove use_first_pass parameter then pam_sss will prompt current 
password. In this case i enter the same password and it works and the password 
is changed successfully

no idea

thanks in advance


_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to