Package: libpam-sss Version: 1.16.3-3.1 Severity: normal Dear Maintainer,
problem: changing SAMBA AD DC passwd using SSSD with AD providers When user runs 'passwd' the old pw is prompted for and validated but not prompt for a new pw is shows. SSSD log and source code indicate that pam_sss.so returns an empty authtok. outcome: User cannot change password (unless using samba-tool). work-around: Using pam_sss.so prompt_always in common-auth. common-auth (autogenerated by pam-auth-config and patched): ... # here are the per-package modules (the "Primary" block) password [success=2 default=ignore] pam_unix.so obscure sha512 password sufficient pam_sss.so prompt_always #password sufficient pam_sss.so use_authtok # here's the fallback if no module succeeds .... -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-sss depends on: ii libc6 2.28-8 ii libpam-pwquality 1.4.0-3 ii libpam-runtime 1.3.1-5 ii libpam0g 1.3.1-5 Versions of packages libpam-sss recommends: pn sssd <none> libpam-sss suggests no packages. -- no debconf information
