Wednesday, January 31, 2018

[389-users] Re: [SOLVED] Password expiration with 389-ds and sssd on CentOS

After doing some digging, I found a piece of advice that setting 'ChallengeResponseAuthentication yes' in sshd_config would give better error messages. However, it seems to have solved the problem entirely, though I can't say I understand how.

-- Mitch Patenaude

On 1/31/18, 9:19 AM, "Mitch Patenaude" <mpatenaude@shutterfly.com> wrote:

Hi, following some advice I received here a few months back, I'm trying to get sssd set up for auth with a 389-ds backend. Almost everything works well, except for the ability to change expired passwords. When A user has an expired password, he/she is unable to change it. The exchange looks like:

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user testacct2.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Failed to update password

passwd: Authentication token is no longer valid; new one required

And the entry in /var/log/secure looks like:

Jan 30 16:44:37 ldap01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Failed to update password
Jan 30 16:44:37 ldap01 passwd: pam_sss(passwd:chauthtok): Password change failed for user testacct2: 12 (Authentication token is no longer valid; new one required)

And the associated entry in /etc/pam.d/system-auth is:
password sufficient pam_sss.so use_authtok

I'm hoping that somebody else here has solved this problem.

-- Mitch Patenaude

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org



_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org

No comments:

Post a Comment