On Fri, Apr 25, 2014 at 04:39:49PM -0400, kevin sullivan wrote:
I am seeing an issue when I try to change a local user's password
when SSSD
(1.9.2-82.el6) is not running. I have two sets of users: users stored in
ldap and users stored locally on my RHEL 6.4 machine. When able, I want to
login as the ldap users and only fallback to the local users when I can't
contact the ldap server. This is why I have pam configured like this:
password requisite pam_cracklib.so retry=3 minlen=10
password sufficient pam_sss.so forward_pass use_authtok
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
When SSSD is running, I can change the password of local users and ldap
users. However, when I try to change the password of a local user when SSSD
is not running, I see this error:
Changing password for user.
passd: Authentication token manipulation error.
I then added 'audit' and 'debug' options to the pam_unix module and saw
this output in /var/log/secure:
Apr 25 16:01:21 localhost passwd: pam_sss(passwd:chauthtok): Request to
sssd failed. Connection refused
Apr 25 16:01:21 localhost passwd: pam_unix(passwd:chauthtok): username
[user] obtained
Apr 25 16:01:28 localhost passwd: pam_sss(passwd:chauthtok): Request to
sssd failed. Connection refused
Are you sure SSSD was running at this point?
Connection refused sounds an awful lot like the deamon was not up at
all.
Can you check if sssd was running (service sssd start, service sssd
status) and paste if the error code pam_sss returns is the same as you
pasted above?