Hello, i would be grateful if somebody could get any advice.
My stuff and enviroment: I have this configs on the top of all main pam-configs(just for test): password [default=die success=ok] my_custom_pam.so password [default=die success=done] pam_sss.so use_authtok use_first_pass my_custom_pam.so includes two simple functions which provide correct test user credentials: PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6"); return PAM_SUCCESS; } PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) { pam_set_item(pamh, PAM_OLDAUTHTOK, "q1w2e3r4t5y6"); pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6"); return PAM_SUCCESS; } Initially i worked with FreeIpa client. According to FreeIpa policy a new user should change his password during first login. What i have is successfull auth stage, but pam_sss can't change the pass due to error server response. ... Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): [DEBUG] Debug: 1, Slot: 0 Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): PAM_SUCCESS Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/6 ruser=user rhost= user=test_u...@dc.test Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): received for user test_u...@dc.test: 12 Nov 27 08:35:04 test su[68635]: pam_sss(su:account): User info message: Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): [DEBUG] Debug: 1, Slot: 0 Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PRELIM Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): EXPIRED Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PAM_SUCCESS Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): User info message: Old password not accepted. Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): Authentication failed for user test_u...@dc.test: 4 (System error) ... Next time i tried to make experiment in Active Directory and i got the same result. The server can't accept user credentials. I can't go through chauthtok prelim step because of "old user password is not accepted" and i can't get the reason why it happens. Moveover if i remove use_first_pass parameter then pam_sss will prompt current password. In this case i enter the same password and it works and the password is changed successfully no idea thanks in advance _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org