Howdy folks, I'm having an issue with password resets which I'm sorry to say I haven't been able to figure out by google search or searching the mailing list archives.
I tried to make my sssd configuration as minimal as possible following the doc on the wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method and instead of editing PAM files I ran authconfig because I'm on Red Hat. When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type both old and new passwords. Right away it says "Password change failed." Then after about 2 seconds it says "passwd: Authentication token manipulation error" on a new line. I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM options, but to no avail. Can anyone tell me what I'm doing wrong? I can post the huge log messages, I just didn't want the email to get too large straight away. [1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989 [2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html [3] - https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server RHEL 6.4 pam-1.1.1-13 sssd-1.9.2-82 --- first off here is what I added to the my.great.domain zone in BIND --- _ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02 _kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02 The rest of the files below are on linux-server. --- /etc/pam.d/system-auth --- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass remember=24 use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so --- /etc/pam.d/password-auth --- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so --- /etc/krb5.conf --- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MY.GREAT.DOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] MY.GREAT.DOMAIN = { } [domain_realm] my.great.domain = MY.GREAT.DOMAIN .my.great.domain = MY.GREAT.DOMAIN --- /etc/krb5.keytab --- # This has the keytab from the 2008 AD domain controller. --- /etc/sssd/sssd.conf --- [domain/default] cache_credentials = False krb5_realm = MY.GREAT.DOMAIN auth_provider = krb5 chpass_provider = krb5 debug_level = 9 [sssd] config_file_version = 2 domains = MY.GREAT.DOMAIN services = nss, pam debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/MY.GREAT.DOMAIN] enumerate = True cache_credentials = False id_provider = ldap access_provider = ldap ldap_access_filter = memberOf=CN=Linux Admins,OU=Security Groups,OU=Groups,OU=MYGROUP,DC=my,DC=great,DC=domain auth_provider = krb5 chpass_provider = krb5 debug_level = 9 ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_sasl_mech = gssapi ldap_sasl_authid = host/[email protected] ldap_uri = ldap://dc01.my.great.domain/,ldap://dc02.my.great.domain ldap_user_name = sAMAccountName ldap_user_object_class = person ldap_group_object_class = group ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos = displayName ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_ticket_lifetime = 86400 krb5_realm = MY.GREAT.DOMAIN #krb5_kpasswd = dc01.my.great.domain #krb5_server = dc01.my.great.domain,dc02.my.great.domain krb5_validate = true krb5_canonicalize = false krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_use_fast = try --- grep -i error /var/log/secure --- May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): Password change failed for user bryan.harris.adm: 20 (Authentication token manipulation error --- /var/log/sss/* --- I am not sure what's relevant, I just posted some error lines. If needed I can (A) truncate the files + (B) re-run passwd and then post the results. I ignored the DNS errors after I noticed in the logs that it's correctly resolving everything afterwords because it does a lookup on the SRV record (which I added to my BIND server), or at least it looks to be correct AFAICS. ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ... sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ... sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]: Domain name not found Thanks in advance, Bryan _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
