Hi, sure. My auth files are based on this: - https://wiki.archlinux.org/title/LDAP_authentication#PAM_Configuration_2 - and this: https://sssd.io/docs/ad/ad-provider-manual.html#id6
but sssd.io docs are based on Debian/Ubuntu common-auth so I had to improvise... passwd file: password include system-auth system-auth file: auth sufficient pam_unix.so try_first_pass nullok auth sufficient pam_sss.so forward_pass auth optional pam_permit.so auth required pam_env.so auth requisite pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account optional pam_permit.so account required pam_time.so password sufficient pam_unix.so try_first_pass nullok sha512 shadow use_authtok password sufficient pam_sss.so use_authtok password optional pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_sss.so session optional pam_permit.so ----- Pawel wt., 11 maj 2021 o 15:25 Sumit Bose <[email protected]> napisał(a): > Am Tue, May 11, 2021 at 02:46:39PM +0200 schrieb Paweł Szafer: > > Hi again, > > > > Last week I had to change my sssd.conf to ldap_sasl_mech=GSSAPI. > > SSSD is 2.4.2 on Arch Linux. > > Don't know if it is related but now I can't change password with this > > machine (last time it was working in February). > > Anyway passwd is asking me for current password and after typing it + > Enter > > it returning with message: Password changed. > > Hi, > > this is most probably an issue with the PAM configuration. Can you share > /etc/pam.d/passwd? If it includes additional PAM configuration files, > please send them as well. > > bye, > Sumit > > > > > Error which are most important (I think) is: authentication service > cannot > > retrieve user authentication to the client (bold below in Polish). > > > > What I see in logs: > > > > pam_sss: > > > > (2021-05-11 14:40:28): [pam] [pam_initgr_check_timeout] (0x2000): User > > [test] found in PAM cache. > > (2021-05-11 14:40:28): [pam] [pam_dp_send_req] (0x0100): Sending request > > with the following data: > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): command: > > SSS_PAM_CHAUTHTOK > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): domain: > realm.domain > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): user: > > [email protected] > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): service: passwd > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): tty: not set > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): ruser: not set > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): rhost: not set > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): authtok type: 1 > > (Password) > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): newauthtok type: > 0 > > (No authentication token available) > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): priv: 0 > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): cli_pid: 955753 > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): logon name: test > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): flags: 4 > > (2021-05-11 14:40:28): [pam] [pam_dom_forwarder] (0x0100): > pam_dp_send_req > > returned 0 > > (2021-05-11 14:40:28): [pam] [sbus_dispatch] (0x4000): Dispatching. > > (2021-05-11 14:40:28): [pam] [pam_dp_send_req_done] (0x0200): received: > [15 > > (Usługa uwierzytelniania nie może uzyskać uwierzytelnienia > > użytkownika)][realm.domain] > > (2021-05-11 14:40:28): [pam] [ldb] (0x10000): Added timed event > > "ldb_kv_callback": 0x56049f493ce0 > > *(2021-05-11 14:40:28): [pam] [pam_reply] (0x4000): pam_reply initially > > called with result [15]: Usługa uwierzytelniania nie może uzyskać > > uwierzytelnienia użytkownika. this result might be changed during > > processing* > > (2021-05-11 14:40:28): [pam] [filter_responses] (0x0100): > > [pam_response_filter] not available, not fatal. > > (2021-05-11 14:40:28): [pam] [pam_reply] (0x0200): blen: 35 > > *(2021-05-11 14:40:28): [pam] [pam_reply] (0x0200): Returning [15]: > Usługa > > uwierzytelniania nie może uzyskać uwierzytelnienia użytkownika to the > > client* > > (2021-05-11 14:40:28): [pam] [client_recv] (0x0200): Client disconnected! > > (2021-05-11 14:40:28): [pam] [client_close_fn] (0x2000): Terminated > client > > [0x56049f489150][19] > > (2021-05-11 14:40:33): [pam] [pam_initgr_cache_remove] (0x2000): [test] > > removed from PAM initgroup cache > > > > krb5 logs > > > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): krb5_child > > started. > > (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x1000): > total > > buffer size: [173] > > (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x0100): cmd > > [247 (password change checks)] uid [1175201116] gid [1175200513] validate > > [true] enterprise principal [false] offline [false] UPN > [[email protected]] > > (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x0100): > > ccname: [FILE:/tmp/krb5cc_1175201116_XXXXXX] old_ccname: > > [FILE:/tmp/krb5cc_1175201116_GlkSJ1] keytab: [/etc/krb5.keytab] > > (2021-05-11 14:40:28): [krb5_child[955777]] [check_use_fast] (0x0100): > Not > > using FAST. > > (2021-05-11 14:40:28): [krb5_child[955777]] [switch_creds] (0x0200): > Switch > > user to [1175201116][1175200513]. > > (2021-05-11 14:40:28): [krb5_child[955777]] [switch_creds] (0x0200): > Switch > > user to [0][0]. > > (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_check_old_ccache] > > (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1175201116_GlkSJ1] and is > > active and TGT is valid. > > (2021-05-11 14:40:28): [krb5_child[955777]] [privileged_krb5_setup] > > (0x0080): Cannot open the PAC responder socket > > (2021-05-11 14:40:28): [krb5_child[955777]] [become_user] (0x0200): > Trying > > to become user [1175201116][1175200513]. > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x2000): Running as > > [1175201116][1175200513]. > > (2021-05-11 14:40:28): [krb5_child[955777]] [sss_child_set_krb5_tracing] > > (0x0100): krb5 tracing is not available > > (2021-05-11 14:40:28): [krb5_child[955777]] [set_lifetime_options] > > (0x0100): No specific renewable lifetime requested. > > (2021-05-11 14:40:28): [krb5_child[955777]] [set_lifetime_options] > > (0x0100): No specific lifetime requested. > > (2021-05-11 14:40:28): [krb5_child[955777]] [set_canonicalize_option] > > (0x0100): Canonicalization is set to [true] > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): Will perform > > password change checks > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x1000): > > Password change operation > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x0400): > > Attempting kinit for realm [REALM.DOMAIN] > > (2021-05-11 14:40:28): [krb5_child[955777]] [sss_krb5_responder] > (0x4000): > > Got question [password]. > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x2000): > > chpass is not using OTP > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x1000): > > Initial authentication for change password operation successful. > > (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_send_data] (0x0200): > > Received error code 0 > > (2021-05-11 14:40:28): [krb5_child[955777]] [pack_response_packet] > > (0x2000): response packet size: [4] > > (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_send_data] (0x4000): > > Response sent. > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): krb5_child > > completed successfully > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): krb5_child > > started. > > (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x1000): > total > > buffer size: [181] > > (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x0100): cmd > > [246 (password change)] uid [1175201116] gid [1175200513] validate [true] > > enterprise principal [false] offline [false] UPN [[email protected]] > > (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x0100): > > ccname: [FILE:/tmp/krb5cc_1175201116_XXXXXX] old_ccname: > > [FILE:/tmp/krb5cc_1175201116_GlkSJ1] keytab: [/etc/krb5.keytab] > > (2021-05-11 14:40:28): [krb5_child[955786]] [check_use_fast] (0x0100): > Not > > using FAST. > > (2021-05-11 14:40:28): [krb5_child[955786]] [switch_creds] (0x0200): > Switch > > user to [1175201116][1175200513]. > > (2021-05-11 14:40:28): [krb5_child[955786]] [switch_creds] (0x0200): > Switch > > user to [0][0]. > > (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_check_old_ccache] > > (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1175201116_GlkSJ1] and is > > active and TGT is valid. > > (2021-05-11 14:40:28): [krb5_child[955786]] [privileged_krb5_setup] > > (0x0080): Cannot open the PAC responder socket > > (2021-05-11 14:40:28): [krb5_child[955786]] [become_user] (0x0200): > Trying > > to become user [1175201116][1175200513]. > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x2000): Running as > > [1175201116][1175200513]. > > (2021-05-11 14:40:28): [krb5_child[955786]] [sss_child_set_krb5_tracing] > > (0x0100): krb5 tracing is not available > > (2021-05-11 14:40:28): [krb5_child[955786]] [set_lifetime_options] > > (0x0100): No specific renewable lifetime requested. > > (2021-05-11 14:40:28): [krb5_child[955786]] [set_lifetime_options] > > (0x0100): No specific lifetime requested. > > (2021-05-11 14:40:28): [krb5_child[955786]] [set_canonicalize_option] > > (0x0100): Canonicalization is set to [true] > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): Will perform > > password change > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x1000): > > Password change operation > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x0400): > > Attempting kinit for realm [REALM.DOMAIN] > > (2021-05-11 14:40:28): [krb5_child[955786]] [sss_krb5_responder] > (0x4000): > > Got question [password]. > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x2000): > > chpass is not using OTP > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x0020): > > Failed to fetch new password [2] No such file or directory. > > (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_send_data] (0x0200): > > Received error code 1432158219 > > (2021-05-11 14:40:28): [krb5_child[955786]] [pack_response_packet] > > (0x2000): response packet size: [4] > > (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_send_data] (0x4000): > > Response sent. > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): krb5_child > > completed successfully > > > > Thanks in advance for your help! > > > > ----- > > Best regards, > > Pawel > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
