Hide Forgot
Description of problem: [ruben@dev ~]$ passwd Changing password for user ruben. Current Password: passwd: Authentication token manipulation error Version-Release number of selected component (if applicable): [root@dev ~]# rpm -q sssd sssd-1.5.7-1.fc14.x86_64 [root@ldap ~]# rpm -q openldap-servers openldap-servers-2.4.23-10.fc14.x86_64 sssd_LDAP.log shows: (Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [sdap_control_create] (3): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1]. (Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: cn=Ruben Kerkhof,ou=People,dc=tilaa,dc=nl (Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_done] (5): Server returned no controls. (Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null) (Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success] (Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [0][LDAP] (Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [0][LDAP] (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler] (4): Got request with the following data (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): command: PAM_CHAUTHTOK (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): domain: LDAP (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): user: ruben (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): service: passwd (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): tty: pts/0 (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): ruser: (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): rhost: (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): authtok type: 1 (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): authtok size: 8 (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): newauthtok type: 1 (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): newauthtok size: 0 (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): priv: 0 (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): cli_pid: 7767 (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [sdap_pam_chpass_handler] (2): starting password change request for user [ruben]. (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [4][LDAP] (Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [4][LDAP] I have the ppolicy overlay configured on the openldap server (control 1.3.6.1.4.1.42.2.27.8.5.1). It is working, but an ldapsearch doesn't show it, which is normal according to http://www.openldap.org/lists/openldap-software/200606/msg00220.html
This looks like an issue in the PAM configuration. Can you send /etc/pam.d/passwd and /etc/pam.d/system-auth? Did you use authconfig to create these files or did you edit one of them manually?
Hi Sumit, Here's system-auth (symlinked to system-auth-ac): # Managed by puppet auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session required pam_mkhomedir.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so And /etc/pam.d/passwd: #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so use_authtok And /etc/pam.d/password-auth (symlinked to password-auth-ac): # Managed by puppet auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session required pam_mkhomedir.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
Please use 'use_authtok' in "password sufficient pam_sss.so use_authtok" only if you have a module like pam_cracklib.so, which definitively will query the user for a new password, before pam_sss.so in the pam stack. pam_unix.so will only ask for new passwords for users in /etc/passwd.
Great, that did the trick! Thanks.