Description of problem:

Logging in from console or GDM, can not change user's password - when password change is required.

/var/log/secure:

May 16 11:03:39 dhcp-100-19-170 login: pam_sss(login:chauthtok): system info: [Decrypt integrity check failed]
May 16 11:03:39 dhcp-100-19-170 login: pam_sss(login:chauthtok): Authentication failed for user mmouse: 4 (System error)
May 16 11:03:39 dhcp-100-19-170 login: Authentication token manipulation error
May 16 11:03:39 dhcp-100-19-170 login: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=mmouse


If password change is not required, login is successful.

Environment:
IPA Server and Replica


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-23.1.el6.x86_64
ipa-client-2.0.0-23.1.el6.x86_64
sssd-1.5.1-34.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1. install IPA server and replica
2. install ipa client
3. add two new ipa users and assign the user's passwords
4. kinit as one user to set the password where password change is then not required
5. attempt console login from client with user that does not require password change
6. attempt console login from client with user that does require password change
  
Actual results:
prompted to change password - enter new password - then get token manipulation error

Expected results:
successfully set password from console or GDM login.

Additional info: