on related problems:
I opened a bug regarding messages given to user on lightdm: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
seems that pam interaction with user is not correctly handled by graphical logins.
----- Original Message ----- De: "Marc Grimme" grimme@atix.de A: "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org CC: freeipa-users@redhat.com Enviat: dimarts, 20 de novembre de 2012 10:25:56 Assumpte: Re: [SSSD-users] [Freeipa-users] Problem with password reset on ubuntu 12.04 (lightdm)
Am 20.11.2012 09:39, schrieb Sumit Bose:
On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote:
Hello sssd list. My problem is that a with sssd configured ubuntu 12.04 client cannot change a password that has to be set a new for IPA. As I've learned from the IPA list there are indications that sssd might be the problem in this case.
With logging=10 in sssd.conf I see the following logs by sssd:
When a user password expires the users are requested to change their password (in the login screen). They'll type their old password and then repeat it as part of the change process. Nevertheless - although the password matches - they are not issued to input their new password but get the error message that this action could not be performed (Password change failed. Server message..).
I guess it is you PAM configuration. If you use a client side password checker, e.g. pam_cracklib or pam_pwquality.so, in the password section of you PAM configuration you have to add the 'use_authtok' option to pam_sss in the section. If you do not use any checker you must not use 'use_authtok' here because sssd would expect a password to be available on the PAM stack but no module sets it.
From your description I guess you do not have a client-side password checker but 'use_authtok' is set. If this is the case, please remove 'use_authtok' and try again.
HTH
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Sumit, thanks very much. I replaced the line /etc/pam.d/common-password: password sufficient pam_sss.so use_authtok with password sufficient pam_sss.so restarted lightdm and the password change succeeded like a charm.
Regards Marc. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users