On Thu, May 30, 2013 at 02:36:08PM +0000, Harris, Bryan L. wrote:
Sorry about the weird line endings in my first email. Here is the
same with the line endings fixed.
I'm having an issue with password resets which I'm sorry to say I haven't
been able to figure out by google search or searching the mailing list archives.
I tried to make my sssd configuration as minimal as possible following the doc on the
wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method
and instead of editing PAM files I ran authconfig because I'm on Red Hat.
When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type
both old and new passwords. Right away it says "Password change failed." Then
after about 2 seconds it says "passwd: Authentication token manipulation error"
on a new line.
I found [1] and [2] below which seem similar to my issue. I have played a bit with my
PAM options, but to no avail. Can anyone tell me what I'm doing wrong? I can post
the huge log messages, I just didn't want the email to get too large straight away.
[1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989
[2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html
[3]
- https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
RHEL 6.4
pam-1.1.1-13
sssd-1.9.2-82
--- first off here is what I added to the my.great.domain zone in BIND ---
_ldap._tcp 1D IN SRV 0 100 389 dc01
_ldap._tcp 1D IN SRV 0 100 389 dc02
_kerberos._tcp 1D IN SRV 0 100 88 dc01
_kerberos._tcp 1D IN SRV 0 100 88 dc02
_kpasswd._tcp 1D IN SRV 0 100 464 dc01
_kpasswd._tcp 1D IN SRV 0 100 464 dc02
_kerberos._udp 1D IN SRV 0 100 88 dc01
_kerberos._udp 1D IN SRV 0 100 88 dc02
_kpasswd._udp 1D IN SRV 0 100 464 dc01
_kpasswd._udp 1D IN SRV 0 100 464 dc02
The rest of the files below are on linux-server.
--- /etc/pam.d/system-auth ---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1
ucredit=-1 dcredit=-1 try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow try_first_pass remember=24
use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
--- /etc/pam.d/password-auth ---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass auth requisite
pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so
use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1
ucredit=-1 dcredit=-1 try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
--- /etc/krb5.conf ---
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.GREAT.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
MY.GREAT.DOMAIN = {
}
[domain_realm]
my.great.domain = MY.GREAT.DOMAIN
.my.great.domain = MY.GREAT.DOMAIN
--- /etc/krb5.keytab ---
# This has the keytab from the 2008 AD domain controller.
--- /etc/sssd/sssd.conf ---
[domain/default]
cache_credentials = False
krb5_realm = MY.GREAT.DOMAIN
auth_provider = krb5
chpass_provider = krb5
debug_level = 9
[sssd]
config_file_version = 2
domains = MY.GREAT.DOMAIN
services = nss, pam
debug_level = 9
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 9
[pam]
reconnection_retries = 3
debug_level = 9
[domain/MY.GREAT.DOMAIN]
enumerate = True
cache_credentials = False
id_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=CN=Linux Admins,OU=Security
Groups,OU=Groups,OU=MYGROUP,DC=my,DC=great,DC=domain
auth_provider = krb5
chpass_provider = krb5
debug_level = 9
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_sasl_mech = gssapi
ldap_sasl_authid = host/linux-server.my.great.domain(a)MY.GREAT.DOMAIN
ldap_uri = ldap://dc01.my.great.domain/,ldap://dc02.my.great.domain
ldap_user_name = sAMAccountName
ldap_user_object_class = person
ldap_group_object_class = group
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos =
displayName
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
krb5_realm = MY.GREAT.DOMAIN
#krb5_kpasswd = dc01.my.great.domain
#krb5_server = dc01.my.great.domain,dc02.my.great.domain
krb5_validate = true
krb5_canonicalize = false
krb5_renewable_lifetime = 7d
krb5_lifetime = 24h
krb5_use_fast = try
--- grep -i error /var/log/secure ---
May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): system info: [Generic
error (see e-text)] May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok):
Password change failed for user bryan.harris.adm: 20 (Authentication token manipulation
error
--- /var/log/sss/* ---
I am not sure what's relevant, I just posted some error lines. If needed I can (A)
truncate the files + (B) re-run passwd and then post the results. I ignored the DNS
errors after I noticed in the logs that it's correctly resolving everything afterwords
because it does a lookup on the SRV record (which I added to my BIND server), or at least
it looks to be correct AFAICS.
ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with
TCP
ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication
required ...
Hi Bryan,
This is interesting, do these occur after every sssd startup or was it
just some artifact from before? The ldap_child is used to authenticate
with GSSAPI to the LDAP server, if the authentication wouldn't succeed,
the SSSD would go offline.
Also typically the host/fqdn@REALM principal is not user, but rather
shortname$@REALM, in your case linux$(a)MY.GREAT.DOMAIN
sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno:
19 error message: Subdomains back end target is not configured
sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message:
Success ...
sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name
linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]:
Domain name not found
Thanks in advance,
Bryan
are you sure the new password meets the complexity requirements imposed
by AD? Currently SSSD doesn't really report those in a meaningful way.
Also, are there any interesting information in the krb5_child.log ? With
debug level as high as yours, I would expect all the trace information
present.