on related problems:
I opened a bug regarding messages given to user on lightdm:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
seems that pam interaction with user is not correctly handled by graphical logins.
----- Original Message -----
De: "Marc Grimme" <grimme(a)atix.de>
A: "End-user discussions about the System Security Services Daemon"
<sssd-users(a)lists.fedorahosted.org>
CC: freeipa-users(a)redhat.com
Enviat: dimarts, 20 de novembre de 2012 10:25:56
Assumpte: Re: [SSSD-users] [Freeipa-users] Problem with password reset on ubuntu 12.04
(lightdm)
Am 20.11.2012 09:39, schrieb Sumit Bose:
On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote:
> Hello sssd list.
> My problem is that a with sssd configured ubuntu 12.04 client cannot
> change a password that has to be set a new for IPA.
> As I've learned from the IPA list there are indications that sssd might
> be the problem in this case.
>
> With logging=10 in sssd.conf I see the following logs by sssd:
>
> When a user password expires the users are requested to change their
> password (in the login screen).
> They'll type their old password and then repeat it as part of the change
> process. Nevertheless - although the password matches - they are not
> issued to input their new password but get the error message that this
> action could not be performed (Password change failed. Server message..).
I guess it is you PAM configuration. If you use a client side password
checker, e.g. pam_cracklib or pam_pwquality.so, in the password section
of you PAM configuration you have to add the 'use_authtok' option to
pam_sss in the section. If you do not use any checker you must not use
'use_authtok' here because sssd would expect a password to be available
on the PAM stack but no module sets it.
From your description I guess you do not have a client-side password
checker but 'use_authtok' is set. If this is the case, please remove
'use_authtok' and try again.
HTH
bye,
Sumit
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Sumit,
thanks very much.
I replaced the line
/etc/pam.d/common-password:
password sufficient pam_sss.so use_authtok
with
password sufficient pam_sss.so
restarted lightdm and the password change succeeded like a charm.
Regards Marc.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users