Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1078840

Summary: Error during password change
Product: Red Hat Enterprise Linux 7 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: grajaiya, jagee, jgalipea, lslebodn, mkosek, pbrezina, preichl, sbose
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-61 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:52:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
krb5_child.log none

Description Kaushik Banerjee 2014-03-20 11:48:32 UTC 
Description of problem:
Error message is seen during password change. Although the change is successful.

Version-Release number of selected component (if applicable):
1.11.2-60.el7

How reproducible:
Always

Steps to Reproduce:
1. # ssh -l aduser1 localhost
aduser1@localhost's password: 
Password expired. Change your password now.
Last login: Thu Mar 20 17:10:18 2014 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user aduser1.
Current Password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error
Connection to localhost closed.

2. Now, try to login with the changed password.
# ssh -l aduser1 localhost
aduser1@localhost's password: 
Last login: Thu Mar 20 17:10:55 2014 from localhost

3. /varlog/secure shows:
Mar 20 17:10:54 dhcp207-186 sshd[11363]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=aduser1
Mar 20 17:10:54 dhcp207-186 sshd[11363]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=aduser1
Mar 20 17:10:54 dhcp207-186 sshd[11363]: pam_sss(sshd:auth): received for user aduser1: 12 (Authentication token is no longer valid; new one required)
Mar 20 17:10:54 dhcp207-186 sshd[11363]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
Mar 20 17:10:54 dhcp207-186 sshd[11363]: Accepted password for aduser1 from ::1 port 47301 ssh2
Mar 20 17:10:55 dhcp207-186 sshd[11363]: pam_unix(sshd:session): session opened for user aduser1 by (uid=0)
Mar 20 17:10:55 dhcp207-186 passwd: pam_unix(passwd:chauthtok): user "aduser1" does not exist in /etc/passwd
Mar 20 17:11:08 dhcp207-186 passwd: pam_unix(passwd:chauthtok): user "aduser1" does not exist in /etc/passwd
Mar 20 17:11:08 dhcp207-186 passwd: pam_sss(passwd:chauthtok): Password change failed for user aduser1: 4 (System error)
Mar 20 17:11:08 dhcp207-186 passwd: gkr-pam: couldn't update the login keyring password: no old password was entered
Mar 20 17:11:11 dhcp207-186 sshd[11366]: Received disconnect from ::1: 11: disconnected by user
Mar 20 17:11:11 dhcp207-186 sshd[11363]: pam_unix(sshd:session): session closed for user aduser1


Actual results:
Error message is seen during password change. Although the change is successful.

Expected results:
No error during password change.

Additional info:
Comment 2 Kaushik Banerjee 2014-03-20 12:10:23 UTC 
Created attachment 876800 [details]
krb5_child.log
Comment 3 Martin Kosek 2014-03-21 12:59:12 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2289
Comment 4 Jakub Hrozek 2014-03-21 22:18:35 UTC 
Fixed upstream:

    master:
        6bbff437dcea7e56d71cf119d1391be7264dfaf0
        4bdc95dd47a7f2898dea30c61355ed0f3be402d9
        9c20e3386a9716419772a0cf70dc742a5cd0551b
        d5043cd73bcfdca3f7e94c7df690236b30c73537 
    sssd-1-11:
        cf13b90a3976158fca70523815ad934f177d424b
        5744811daf558d5fd87316c29683f426386edbcc
        8f692f25e13cf59bc49cbda4a261bee0bdbfcf35
        aebb22fe6067b60490845c43a0eb3f434296704f
Comment 6 Kaushik Banerjee 2014-03-25 09:17:58 UTC 
Verified in build 1.11.2.-61.el7

Output from beaker run:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: account_password_policy_002: bz 1078840 User must change password on next logon
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

modifying entry "cn=testuser01,cn=Users,dc=sssdad2012,dc=com"

spawn ssh -o StrictHostKeyChecking=no -l testuser01 localhost
testuser01@localhost's password: 
Password expired. Change your password now.
Last login: Tue Mar 25 04:21:11 2014
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user testuser01.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to localhost closed.
:: [   PASS   ] :: Running 'su_success testuser01 NewPass3_123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should not contain 'system error'
account-password-policy-002 result: PASS
Comment 7 Jeremy Agee 2014-03-25 18:04:12 UTC 
test also added to the ad forest test.

https://beaker.engineering.redhat.com/jobs/619845
using sssd-1.11.2-60.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_auth_02: bz 1078840 change password for all users from all domains
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1 NewPass1_123' (Expected 0, got 0)
:: [   FAIL   ] :: File '/var/log/secure' should not contain 'system error' 
:: [   PASS   ] :: Running 'su_success user1_dom2 NewPass1_123' (Expected 0, got 0)
:: [   FAIL   ] :: File '/var/log/secure' should not contain 'system error' 
:: [   PASS   ] :: Running 'su_success user1_dom3.com NewPass1_123' (Expected 0, got 0)
:: [   FAIL   ] :: File '/var/log/secure' should not contain 'system error' 
:: [   LOG    ] :: Duration: 18s
:: [   LOG    ] :: Assertions: 3 good, 3 bad
:: [   FAIL   ] :: RESULT: ad_forest_auth_02: bz 1078840 change password for all users from all domains


https://beaker.engineering.redhat.com/jobs/619882
using sssd-1.11.2-61.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_auth_02: bz 1078840 change password for all users from all domains
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1 NewPass1_123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should not contain 'system error' 
:: [   PASS   ] :: Running 'su_success user1_dom2 NewPass1_123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should not contain 'system error' 
:: [   PASS   ] :: Running 'su_success user1_dom3.com NewPass1_123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should not contain 'system error' 
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_auth_02: bz 1078840 change password for all users from all domains
Comment 8 Ludek Smid 2014-06-13 10:52:27 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.