Bug 703315 - Unable to change password
Unable to change password
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
14
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-09 20:05 EDT by Ruben Kerkhof
Modified: 2011-05-10 11:29 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-10 11:29:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ruben Kerkhof 2011-05-09 20:05:00 EDT
Description of problem:

[ruben@dev ~]$ passwd
Changing password for user ruben.
Current Password: 
passwd: Authentication token manipulation error

Version-Release number of selected component (if applicable):
[root@dev ~]# rpm -q sssd
sssd-1.5.7-1.fc14.x86_64
[root@ldap ~]# rpm -q openldap-servers
openldap-servers-2.4.23-10.fc14.x86_64

sssd_LDAP.log shows:

(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [sdap_control_create] (3): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: cn=Ruben Kerkhof,ou=People,dc=tilaa,dc=nl
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_done] (5): Server returned no controls.
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null)
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [0][LDAP]
(Tue May 10 02:02:36 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [0][LDAP]
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler] (4): Got request with the following data
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): command: PAM_CHAUTHTOK
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): domain: LDAP
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): user: ruben
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): service: passwd
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): tty: pts/0
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): ruser: 
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): rhost: 
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): authtok type: 1
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): authtok size: 8
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): newauthtok type: 1
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): newauthtok size: 0
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): priv: 0
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [pam_print_data] (4): cli_pid: 7767
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [sdap_pam_chpass_handler] (2): starting password change request for user [ruben].
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [4][LDAP]
(Tue May 10 02:02:37 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [4][LDAP]

I have the ppolicy overlay configured on the openldap server (control 1.3.6.1.4.1.42.2.27.8.5.1).
It is working, but an ldapsearch doesn't show it, which is normal according to http://www.openldap.org/lists/openldap-software/200606/msg00220.html
Comment 1 Sumit Bose 2011-05-10 02:51:02 EDT
This looks like an issue in the PAM configuration. Can you send /etc/pam.d/passwd and /etc/pam.d/system-auth? Did you use authconfig to create these files or did you edit one of them manually?
Comment 2 Ruben Kerkhof 2011-05-10 08:28:21 EDT
Hi Sumit,

Here's system-auth (symlinked to system-auth-ac):

# Managed by puppet

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so

And /etc/pam.d/passwd:

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   substack     system-auth
-password   optional    pam_gnome_keyring.so use_authtok

And /etc/pam.d/password-auth (symlinked to password-auth-ac):

# Managed by puppet

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so
Comment 3 Sumit Bose 2011-05-10 08:59:34 EDT
Please use 'use_authtok' in "password    sufficient    pam_sss.so use_authtok" only if you have a module like pam_cracklib.so, which definitively will query the user for a new password, before pam_sss.so in the pam stack. pam_unix.so will only ask for new passwords for users in /etc/passwd.
Comment 4 Ruben Kerkhof 2011-05-10 11:29:21 EDT
Great, that did the trick! Thanks.

Note You need to log in before you can comment on or make changes to this bug.