Hello,
i would be grateful if somebody could get any advice.
My stuff and enviroment:
I have this configs on the top of all main pam-configs(just for test):
password [default=die success=ok] my_custom_pam.so
password [default=die success=done] pam_sss.so use_authtok use_first_pass
my_custom_pam.so includes two simple functions which provide correct test user credentials:
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6");
return PAM_SUCCESS;
}
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
pam_set_item(pamh, PAM_OLDAUTHTOK, "q1w2e3r4t5y6");
pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6");
return PAM_SUCCESS;
}
Initially i worked with FreeIpa client. According to FreeIpa policy a new user should change his password during first login.
What i have is successfull auth stage, but pam_sss can't change the pass due to error server response.
...
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): [DEBUG] Debug: 1, Slot: 0
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): PAM_SUCCESS
Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/6 ruser=user rhost= user=test_user(a)dc.test
Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): received for user test_user(a)dc.test: 12
Nov 27 08:35:04 test su[68635]: pam_sss(su:account): User info message:
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): [DEBUG] Debug: 1, Slot: 0
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PRELIM
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): EXPIRED
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PAM_SUCCESS
Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): User info message: Old password not accepted.
Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): Authentication failed for user test_user(a)dc.test: 4 (System error)
...
Next time i tried to make experiment in Active Directory and i got the same result. The server can't accept user credentials.
I can't go through chauthtok prelim step because of "old user password is not accepted" and i can't get the reason why it happens.
Moveover if i remove use_first_pass parameter then pam_sss will prompt current password. In this case i enter the same password and it works and the password is changed successfully
no idea
thanks in advance