Red Hat Bugzilla – Bug 983028
passwd returns "Authentication token manipulation error" when entering wrong current password
Last modified: 2013-11-21 17:20:39 EST
Description of problem: Trying to do a password change as a LDAP user using pam_sss.so and entering the wrong 'current' password results in: passwd: Authentication token manipulation error which can be interpreted by a end user as a system error rather then the hint of a wrong password. Version-Release number of selected component (if applicable): sssd-client-1.9.2-82.el6 How reproducible: Always Steps to Reproduce: 1. configure ldap server with at least one user 2. configure sssd to use ldap as the id_provider, auth_provider and chpass_provider 3. set sss as provider in /etc/nsswitch.conf 4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide 5. login as the ldap user 6. issue a password change request by running passwd 7. enter a wrong 'current' password Actual results: $ passwd Changing password for user ldapuser. Current Password: passwd: Authentication token manipulation error Expected results: More descriptive message like: Authentication failed for user ldapuser Additional info: * The authentication failure is logged in /var/log/secure as Jul 9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure) * It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR * Similar behavior when using pam_unix with a local user
Similar issue when the new password does not match the password policy as configured on the LDAP server: ~~~ $ passwd Changing password for user ldapuser Current Password: New Password: Reenter new Password: Password change failed. Server message: Failed to update password passwd: Authentication token is no longer valid; new one required ~~~ The end user will be unaware of the real reason for the password change reject.
As discussed yesterday on IRC and as you noted, the same happens with a local user. The SSSD correctly returns the PAM error code for wrong password. Please follow up with the passwd(1) maintainer if you think this is a bug, but definitely not SSSD problem.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1827
Upstream ticket: https://fedorahosted.org/sssd/ticket/2029
Fixed upstream
Tested with sssd-1.9.2-128.el6.x86_64 :: [ PASS ] :: Running 'getent passwd sssduser1' (Expected 0, got 0) spawn ssh -o StrictHostKeyChecking=no sssduser1@localhost sssduser1@localhost's password: Last login: Fri Oct 25 13:57:14 2013 from localhost id: cannot find name for group ID 10011 [sssduser1@dhcp207-156 ~]$ passwd Changing password for user sssduser1. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error [sssduser1@dhcp207-156 ~]$ passwd Changing password for user sssduser1. Current Password: New password: BAD PASSWORD: it is based on a dictionary word New password: BAD PASSWORD: it is based on a dictionary word New password: BAD PASSWORD: it is based on a dictionary word passwd: Have exhausted maximum number of retries for service [sssduser1@dhcp207-156 ~]$ passwd Changing password for user sssduser1. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. :: [ PASS ] :: Running 'su_success sssduser1 LionKing@_123' (Expected 0, got 0)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1680.html