On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote:
Hello sssd list.
My problem is that a with sssd configured ubuntu 12.04 client cannot
change a password that has to be set a new for IPA.
As I've learned from the IPA list there are indications that sssd might
be the problem in this case.
With logging=10 in sssd.conf I see the following logs by sssd:
When a user password expires the users are requested to change their
password (in the login screen).
They'll type their old password and then repeat it as part of the change
process. Nevertheless - although the password matches - they are not
issued to input their new password but get the error message that this
action could not be performed (Password change failed. Server message..).
I guess it is you PAM configuration. If you use a client side password
checker, e.g. pam_cracklib or pam_pwquality.so, in the password section
of you PAM configuration you have to add the 'use_authtok' option to
pam_sss in the section. If you do not use any checker you must not use
'use_authtok' here because sssd would expect a password to be available
on the PAM stack but no module sets it.
From your description I guess you do not have a client-side password
checker but 'use_authtok' is set. If this is the case, please remove
'use_authtok' and try again.
HTH
bye,
Sumit