Public bug reported:
Scenario: SSSD is configured using LDAP and Kerberos as the authentication backend. When attempting to change the password of a non- local user (one provided by SSSD) with the `passwd` util, the password change fails. The password change fails immediately after asking for the current password, without prompting for the new password. When looking at the kerberos server logs, it says that it received an empty new password. This can be worked around by removing `use_authtok` from the `pam_sss.so` password line in `/etc/pam.d/common-password`, but this is not a good solution. I am not sure what previous module in the pam stack is providing the password (that use_authtok is grabbing) as the only 'password' entry in common-password before `pam_sss.so` is `pam_unix.so`, and I've tried disabling it with no effect. The `/etc/pam.d/passwd` file only has a single line of `@include common-password`. * Versions Ubuntu 12.04.1 LTS libpam-sss 1.8.2-0ubuntu1 sssd 1.8.2-0ubuntu1 * Password change attempt: # passwd Current Password: Password change failed. Server message: Password not changed. passwd: Authentication token manipulation error passwd: password unchanged * kadmind.log from kerberos server Jan 02 23:42:28 i-5a0a4603 kadmind[17317](Error): password quality module empty rejected password for t...@cliff.cloudburrito.com: Empty passwords are not allowed * /etc/pam.d/passwd (comment lines stripped) @include common-password * /etc/pam.d/common-password (comment lines stripped) password [success=2 default=ignore] pam_unix.so obscure sha512 password sufficient pam_sss.so use_authtok password requisite pam_deny.so password required pam_permit.so * /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = cliff.cloudburrito.com [nss] [pam] [domain/cliff.cloudburrito.com] cache_credentials = True id_provider = ldap access_provider = simple auth_provider = krb5 chpass_provider = krb5 enumerate = true cache_credentials = true krb5_store_password_if_offline = True krb5_server = ipa.cliff.cloudburrito.com krb5_realm = CLIFF.CLOUDBURRITO.COM ldap_pwd_policy=mit_kerberos ldap_id_use_start_tls = true ldap_tls_reqcert = allow ldap_uri = ldap://ipa.cliff.cloudburrito.com ldap_schema = rfc2307bis ldap_search_base = dc=cliff,dc=cloudburrito,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=cliff,dc=cloudburrito,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=cliff,dc=cloudburrito,dc=com ldap_default_bind_dn = uid=auth,cn=sysaccounts,cn=etc,dc=cliff,dc=cloudburrito,dc=com ldap_default_authtok = FOOBAR simple_allow_users = test simple_allow_groups = ** Affects: sssd (Ubuntu) Importance: Undecided Status: New ** Tags: precise -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1095482 Title: sssd kerberos password change fails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1095482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs