Description of problem: The password cannot be changed for a new IPA user. Version-Release number of selected component (if applicable): sssd-1.10.0-1.fc19.alpha1 How reproducible: always Steps to Reproduce: 1. Create an user $ kinit admin ... $ ipa user-add ipauser --first ipa --last user --password 2. Try to login $ su - ipauser Password: Password expired. Change your password now. su: Authentication token manipulation error 3./var/log/secure: Apr 17 13:56:55 f19 su: pam_unix(su-l:auth): authentication failure; logname=root uid=1000 euid=0 tty=pts/0 ruser=test rhost= user=aaa Apr 17 13:56:56 f19 su: pam_sss(su-l:auth): authentication failure; logname=root uid=1000 euid=0 tty=pts/0 ruser=test rhost= user=aaa Apr 17 13:56:56 f19 su: pam_sss(su-l:auth): received for user aaa: 12 (Authentication token is no longer valid; new one required) Apr 17 13:56:56 f19 su: pam_sss(su-l:account): User info message: Password expired. Change your password now. Apr 17 13:56:56 f19 su: pam_unix(su-l:chauthtok): user "aaa" does not exist in /etc/passwd Apr 17 13:56:56 f19 su: pam_sss(su-l:chauthtok): Authentication failed for user aaa: 15 (Authentication service cannot retrieve user credentials) Actual results: Expected results: Additional info:
I debugged the issue with Patrik in person and I think the bug was caused by changing the PAM return codes.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1882
The issue turned out to be misconfigured PAM stack. Sorry for the noise. password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok #password sufficient pam_sss.so use_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so The use_first_pass option was extra. I'm not a PAM expert, but it seems to be that use_first_pass is not correct there, even according to man pam_unix(8) and the pam_cracklib example listed there. The PAM config was generated by authconfig so I'll reassign the bug there.
The use_first_pass (if implemented as in other modules) should be really harmless there. What semantics the use_first_pass has in pam_sss.so?
The same as pam_unix "The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access." Since neither pam_pwquality nor pam_unix will ask for a password during the PAM_PRELIM_CHECK run pam_sss will not find any password with pam_get_item() and must fail because use_first_pass does not allow pam_sss to request the password on it's own.
Ah, you're right I forgot that pam_unix won't ask for old password if there is no such entry in /etc/passwd.
authconfig-6.2.6-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/authconfig-6.2.6-2.fc19
Package authconfig-6.2.6-2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing authconfig-6.2.6-2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6098/authconfig-6.2.6-2.fc19 then log in and leave karma (feedback).
authconfig-6.2.6-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
To day i newly installed Centos 6.5 and i have same bug useradd erik root@0 ~ # su erik id: cannot find name for group ID 500 id: cannot find name for user ID 500 root@0 ~ # userdel erik root@0 ~ # useradd erik useradd: warning: the home directory already exists. Not copying any file from skel directory into it. Creating mailbox file: File exists root@0 ~ # su oguz id: cannot find name for group ID 500 id: cannot find name for user ID 500 I have no name!@0 /root $ cd I have no name!@0 ~ $ I have no name!@0 ~ $ pwd /home/erik I have no name!@0 ~ $ passwd Changing password for user erik. Changing password for erik. (current) UNIX password: passwd: Authentication token manipulation error any answer?
This is log of problem May 11 11:12:48 0 useradd[8382]: new user: name=erik, UID=500, GID=500, home=/home/erik, shell=/bin/bash May 11 11:13:39 0 su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory May 11 11:13:39 0 su: PAM adding faulty module: /lib64/security/pam_fprintd.so May 11 11:13:39 0 su: pam_unix(su:session): session opened for user erik by root(uid=0) May 11 11:15:09 0 passwd: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory May 11 11:15:09 0 passwd: PAM adding faulty module: /lib64/security/pam_fprintd.so May 11 11:15:15 0 passwd: pam_unix(passwd:chauthtok): authentication failure; logname=root uid=500 euid=0 tty=pts/0 ruser= rhost= user=erik
(In reply to dahili from comment #11) > This is log of problem > > May 11 11:12:48 0 useradd[8382]: new user: name=erik, UID=500, GID=500, > home=/home/erik, shell=/bin/bash > May 11 11:13:39 0 su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): > /lib64/security/pam_fprintd.so: cannot open shared object file: No such file > or directory > May 11 11:13:39 0 su: PAM adding faulty module: > /lib64/security/pam_fprintd.so > May 11 11:13:39 0 su: pam_unix(su:session): session opened for user erik by > root(uid=0) > May 11 11:15:09 0 passwd: PAM unable to > dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: > cannot open shared object file: No such file or directory > May 11 11:15:09 0 passwd: PAM adding faulty module: > /lib64/security/pam_fprintd.so > May 11 11:15:15 0 passwd: pam_unix(passwd:chauthtok): authentication > failure; logname=root uid=500 euid=0 tty=pts/0 ruser= rhost= user=erik This log has nothing to do with SSSD or IPA. You are adding a local user to the box and PAM stack does not even show SSSD as a module being involved.