Howdy folks,
I'm having an issue with password resets which I'm sorry to say I haven't been
able to figure out by google search or searching the mailing list archives.
I tried to make my sssd configuration as minimal as possible following the doc on the wiki
about authenticating to 2008 AD server (see [3] below) and I used the keytab method and
instead of editing PAM files I ran authconfig because I'm on Red Hat.
When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type
both old and new passwords. Right away it says "Password change failed." Then
after about 2 seconds it says "passwd: Authentication token manipulation error"
on a new line.
I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM
options, but to no avail. Can anyone tell me what I'm doing wrong? I can post the
huge log messages, I just didn't want the email to get too large straight away.
[1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989
[2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html
[3]
- https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
RHEL 6.4
pam-1.1.1-13
sssd-1.9.2-82
--- first off here is what I added to the my.great.domain zone in BIND ---
_ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100
389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV
0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D
IN SRV 0 100 464 dc02
_kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88
dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0
100 464 dc02
The rest of the files below are on linux-server.
--- /etc/pam.d/system-auth ---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so auth sufficient pam_unix.so
try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth
sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so
use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient
pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account
[default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad
success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1
ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so
sha512 shadow try_first_pass remember=24 use_authtok password sufficient pam_sss.so
use_authtok password sufficient pam_krb5.so use_authtok password required
pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so
session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore]
pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
session optional pam_sss.so session optional pam_krb5.so
--- /etc/pam.d/password-auth ---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass auth requisite
pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass
auth sufficient pam_krb5.so use_first_pass auth required
pam_deny.so
account required pam_unix.so broken_shadow account sufficient
pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account
[default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad
success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1
ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so
sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so
session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore]
pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
session optional pam_sss.so session optional pam_krb5.so
--- /etc/krb5.conf ---
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.GREAT.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
MY.GREAT.DOMAIN = {
}
[domain_realm]
my.great.domain = MY.GREAT.DOMAIN
.my.great.domain = MY.GREAT.DOMAIN
--- /etc/krb5.keytab ---
# This has the keytab from the 2008 AD domain controller.
--- /etc/sssd/sssd.conf ---
[domain/default]
cache_credentials = False
krb5_realm = MY.GREAT.DOMAIN
auth_provider = krb5
chpass_provider = krb5
debug_level = 9
[sssd]
config_file_version = 2
domains = MY.GREAT.DOMAIN
services = nss, pam
debug_level = 9
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 9
[pam]
reconnection_retries = 3
debug_level = 9
[domain/MY.GREAT.DOMAIN]
enumerate = True
cache_credentials = False
id_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=CN=Linux Admins,OU=Security
Groups,OU=Groups,OU=MYGROUP,DC=my,DC=great,DC=domain
auth_provider = krb5
chpass_provider = krb5
debug_level = 9
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_sasl_mech = gssapi
ldap_sasl_authid = host/linux-server.my.great.domain(a)MY.GREAT.DOMAIN
ldap_uri = ldap://dc01.my.great.domain/,ldap://dc02.my.great.domain
ldap_user_name = sAMAccountName
ldap_user_object_class = person
ldap_group_object_class = group
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos =
displayName
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
krb5_realm = MY.GREAT.DOMAIN
#krb5_kpasswd = dc01.my.great.domain
#krb5_server = dc01.my.great.domain,dc02.my.great.domain
krb5_validate = true
krb5_canonicalize = false
krb5_renewable_lifetime = 7d
krb5_lifetime = 24h
krb5_use_fast = try
--- grep -i error /var/log/secure ---
May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): system info: [Generic
error (see e-text)] May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok):
Password change failed for user bryan.harris.adm: 20 (Authentication token manipulation
error
--- /var/log/sss/* ---
I am not sure what's relevant, I just posted some error lines. If needed I can (A)
truncate the files + (B) re-run passwd and then post the results. I ignored the DNS
errors after I noticed in the logs that it's correctly resolving everything afterwords
because it does a lookup on the SRV record (which I added to my BIND server), or at least
it looks to be correct AFAICS.
ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with
TCP
ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication
required ...
sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message:
Subdomains back end target is not configured
sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message:
Success ...
sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name
linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]:
Domain name not found
Thanks in advance,
Bryan
Show replies by date