Bug 703315

Summary: Unable to change password
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-10 11:29:21 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Ruben Kerkhof 2011-05-09 20:05:00 EDT
Description of problem:

[ruben@dev ~]$ passwd
Changing password for user ruben.
Current Password: 
passwd: Authentication token manipulation error

Version-Release number of selected component (if applicable):
[root@dev ~]# rpm -q sssd
sssd-1.5.7-1.fc14.x86_64
[root@ldap ~]# rpm -q openldap-servers
openldap-servers-2.4.23-10.fc14.x86_64

sssd_LDAP.log shows:

(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [sdap_control_create] (3): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: cn=Ruben Kerkhof,ou=People,dc=tilaa,dc=nl
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_done] (5): Server returned no controls.
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null)
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [0][LDAP]
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [0][LDAP]
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler] (4): Got request with the following data
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): command: PAM_CHAUTHTOK
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): domain: LDAP
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): user: ruben
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): service: passwd
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): tty: pts/0
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): ruser: 
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): rhost: 
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): authtok type: 1
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): authtok size: 8
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): newauthtok type: 1
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): newauthtok size: 0
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): priv: 0
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): cli_pid: 7767
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [sdap_pam_chpass_handler] (2): starting password change request for user [ruben].
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [4][LDAP]
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [4][LDAP]

I have the ppolicy overlay configured on the openldap server (control 1.3.6.1.4.1.42.2.27.8.5.1).
It is working, but an ldapsearch doesn't show it, which is normal according to http://www.openldap.org/lists/openldap-software/200606/msg00220.html
Comment 1 Sumit Bose 2011-05-10 02:51:02 EDT
This looks like an issue in the PAM configuration. Can you send /etc/pam.d/passwd and /etc/pam.d/system-auth? Did you use authconfig to create these files or did you edit one of them manually?
Comment 2 Ruben Kerkhof 2011-05-10 08:28:21 EDT
Hi Sumit,

Here's system-auth (symlinked to system-auth-ac):

# Managed by puppet

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so

And /etc/pam.d/passwd:

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   substack     system-auth
-password   optional    pam_gnome_keyring.so use_authtok

And /etc/pam.d/password-auth (symlinked to password-auth-ac):

# Managed by puppet

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so
Comment 3 Sumit Bose 2011-05-10 08:59:34 EDT
Please use 'use_authtok' in "password    sufficient    pam_sss.so use_authtok" only if you have a module like pam_cracklib.so, which definitively will query the user for a new password, before pam_sss.so in the pam stack. pam_unix.so will only ask for new passwords for users in /etc/passwd.
Comment 4 Ruben Kerkhof 2011-05-10 11:29:21 EDT
Great, that did the trick! Thanks.