Am Tue, May 11, 2021 at 03:31:22PM +0200 schrieb Paweł Szafer: > Hi, sure. > My auth files are based on this: > - https://wiki.archlinux.org/title/LDAP_authentication#PAM_Configuration_2 > - and this: https://sssd.io/docs/ad/ad-provider-manual.html#id6 > > but sssd.io docs are based on Debian/Ubuntu common-auth so I had to > improvise... > > passwd file: > > password include system-auth > > system-auth file: > > auth sufficient pam_unix.so try_first_pass nullok > auth sufficient pam_sss.so forward_pass > auth optional pam_permit.so > auth required pam_env.so > auth requisite pam_deny.so > > account required pam_unix.so > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account optional pam_permit.so > account required pam_time.so > > password sufficient pam_unix.so try_first_pass nullok sha512 shadow > use_authtok > password sufficient pam_sss.so use_authtok
Hi, with use_authtok both pam_unix.so and pam_sss.so expect that another module is prompting for the new password, e.g. password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so HTH bye, Sumit > password optional pam_permit.so > > session required pam_mkhomedir.so > skel=/etc/skel/ umask=0022 > session required pam_limits.so > session required pam_unix.so > session optional pam_sss.so > session optional pam_permit.so > > > ----- > Pawel > > > > > wt., 11 maj 2021 o 15:25 Sumit Bose <sb...@redhat.com> napisał(a): > > > Am Tue, May 11, 2021 at 02:46:39PM +0200 schrieb Paweł Szafer: > > > Hi again, > > > > > > Last week I had to change my sssd.conf to ldap_sasl_mech=GSSAPI. > > > SSSD is 2.4.2 on Arch Linux. > > > Don't know if it is related but now I can't change password with this > > > machine (last time it was working in February). > > > Anyway passwd is asking me for current password and after typing it + > > Enter > > > it returning with message: Password changed. > > > > Hi, > > > > this is most probably an issue with the PAM configuration. Can you share > > /etc/pam.d/passwd? If it includes additional PAM configuration files, > > please send them as well. > > > > bye, > > Sumit > > > > > > > > Error which are most important (I think) is: authentication service > > cannot > > > retrieve user authentication to the client (bold below in Polish). > > > > > > What I see in logs: > > > > > > pam_sss: > > > > > > (2021-05-11 14:40:28): [pam] [pam_initgr_check_timeout] (0x2000): User > > > [test] found in PAM cache. > > > (2021-05-11 14:40:28): [pam] [pam_dp_send_req] (0x0100): Sending request > > > with the following data: > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): command: > > > SSS_PAM_CHAUTHTOK > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): domain: > > realm.domain > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): user: > > > test@realm.domain > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): service: passwd > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): tty: not set > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): ruser: not set > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): rhost: not set > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): authtok type: 1 > > > (Password) > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): newauthtok type: > > 0 > > > (No authentication token available) > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): priv: 0 > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): cli_pid: 955753 > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): logon name: test > > > (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): flags: 4 > > > (2021-05-11 14:40:28): [pam] [pam_dom_forwarder] (0x0100): > > pam_dp_send_req > > > returned 0 > > > (2021-05-11 14:40:28): [pam] [sbus_dispatch] (0x4000): Dispatching. > > > (2021-05-11 14:40:28): [pam] [pam_dp_send_req_done] (0x0200): received: > > [15 > > > (Usługa uwierzytelniania nie może uzyskać uwierzytelnienia > > > użytkownika)][realm.domain] > > > (2021-05-11 14:40:28): [pam] [ldb] (0x10000): Added timed event > > > "ldb_kv_callback": 0x56049f493ce0 > > > *(2021-05-11 14:40:28): [pam] [pam_reply] (0x4000): pam_reply initially > > > called with result [15]: Usługa uwierzytelniania nie może uzyskać > > > uwierzytelnienia użytkownika. this result might be changed during > > > processing* > > > (2021-05-11 14:40:28): [pam] [filter_responses] (0x0100): > > > [pam_response_filter] not available, not fatal. > > > (2021-05-11 14:40:28): [pam] [pam_reply] (0x0200): blen: 35 > > > *(2021-05-11 14:40:28): [pam] [pam_reply] (0x0200): Returning [15]: > > Usługa > > > uwierzytelniania nie może uzyskać uwierzytelnienia użytkownika to the > > > client* > > > (2021-05-11 14:40:28): [pam] [client_recv] (0x0200): Client disconnected! > > > (2021-05-11 14:40:28): [pam] [client_close_fn] (0x2000): Terminated > > client > > > [0x56049f489150][19] > > > (2021-05-11 14:40:33): [pam] [pam_initgr_cache_remove] (0x2000): [test] > > > removed from PAM initgroup cache > > > > > > krb5 logs > > > > > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): krb5_child > > > started. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x1000): > > total > > > buffer size: [173] > > > (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x0100): cmd > > > [247 (password change checks)] uid [1175201116] gid [1175200513] validate > > > [true] enterprise principal [false] offline [false] UPN > > [test@REALM.DOMAIN] > > > (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x0100): > > > ccname: [FILE:/tmp/krb5cc_1175201116_XXXXXX] old_ccname: > > > [FILE:/tmp/krb5cc_1175201116_GlkSJ1] keytab: [/etc/krb5.keytab] > > > (2021-05-11 14:40:28): [krb5_child[955777]] [check_use_fast] (0x0100): > > Not > > > using FAST. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [switch_creds] (0x0200): > > Switch > > > user to [1175201116][1175200513]. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [switch_creds] (0x0200): > > Switch > > > user to [0][0]. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_check_old_ccache] > > > (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1175201116_GlkSJ1] and is > > > active and TGT is valid. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [privileged_krb5_setup] > > > (0x0080): Cannot open the PAC responder socket > > > (2021-05-11 14:40:28): [krb5_child[955777]] [become_user] (0x0200): > > Trying > > > to become user [1175201116][1175200513]. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x2000): Running as > > > [1175201116][1175200513]. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [sss_child_set_krb5_tracing] > > > (0x0100): krb5 tracing is not available > > > (2021-05-11 14:40:28): [krb5_child[955777]] [set_lifetime_options] > > > (0x0100): No specific renewable lifetime requested. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [set_lifetime_options] > > > (0x0100): No specific lifetime requested. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [set_canonicalize_option] > > > (0x0100): Canonicalization is set to [true] > > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): Will perform > > > password change checks > > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x1000): > > > Password change operation > > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x0400): > > > Attempting kinit for realm [REALM.DOMAIN] > > > (2021-05-11 14:40:28): [krb5_child[955777]] [sss_krb5_responder] > > (0x4000): > > > Got question [password]. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x2000): > > > chpass is not using OTP > > > (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x1000): > > > Initial authentication for change password operation successful. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_send_data] (0x0200): > > > Received error code 0 > > > (2021-05-11 14:40:28): [krb5_child[955777]] [pack_response_packet] > > > (0x2000): response packet size: [4] > > > (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_send_data] (0x4000): > > > Response sent. > > > (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): krb5_child > > > completed successfully > > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): krb5_child > > > started. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x1000): > > total > > > buffer size: [181] > > > (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x0100): cmd > > > [246 (password change)] uid [1175201116] gid [1175200513] validate [true] > > > enterprise principal [false] offline [false] UPN [test@REALM.DOMAIN] > > > (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x0100): > > > ccname: [FILE:/tmp/krb5cc_1175201116_XXXXXX] old_ccname: > > > [FILE:/tmp/krb5cc_1175201116_GlkSJ1] keytab: [/etc/krb5.keytab] > > > (2021-05-11 14:40:28): [krb5_child[955786]] [check_use_fast] (0x0100): > > Not > > > using FAST. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [switch_creds] (0x0200): > > Switch > > > user to [1175201116][1175200513]. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [switch_creds] (0x0200): > > Switch > > > user to [0][0]. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_check_old_ccache] > > > (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1175201116_GlkSJ1] and is > > > active and TGT is valid. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [privileged_krb5_setup] > > > (0x0080): Cannot open the PAC responder socket > > > (2021-05-11 14:40:28): [krb5_child[955786]] [become_user] (0x0200): > > Trying > > > to become user [1175201116][1175200513]. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x2000): Running as > > > [1175201116][1175200513]. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [sss_child_set_krb5_tracing] > > > (0x0100): krb5 tracing is not available > > > (2021-05-11 14:40:28): [krb5_child[955786]] [set_lifetime_options] > > > (0x0100): No specific renewable lifetime requested. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [set_lifetime_options] > > > (0x0100): No specific lifetime requested. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [set_canonicalize_option] > > > (0x0100): Canonicalization is set to [true] > > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): Will perform > > > password change > > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x1000): > > > Password change operation > > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x0400): > > > Attempting kinit for realm [REALM.DOMAIN] > > > (2021-05-11 14:40:28): [krb5_child[955786]] [sss_krb5_responder] > > (0x4000): > > > Got question [password]. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x2000): > > > chpass is not using OTP > > > (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x0020): > > > Failed to fetch new password [2] No such file or directory. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_send_data] (0x0200): > > > Received error code 1432158219 > > > (2021-05-11 14:40:28): [krb5_child[955786]] [pack_response_packet] > > > (0x2000): response packet size: [4] > > > (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_send_data] (0x4000): > > > Response sent. > > > (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): krb5_child > > > completed successfully > > > > > > Thanks in advance for your help! > > > > > > ----- > > > Best regards, > > > Pawel > > > > > _______________________________________________ > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure