Howdy folks,
I'm having an issue with password resets which I'm sorry to say I haven't been able to figure out by google search or searching the mailing list archives.
I tried to make my sssd configuration as minimal as possible following the doc on the wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method and instead of editing PAM files I ran authconfig because I'm on Red Hat.
When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type both old and new passwords. Right away it says "Password change failed." Then after about 2 seconds it says "passwd: Authentication token manipulation error" on a new line.
I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM options, but to no avail. Can anyone tell me what I'm doing wrong? I can post the huge log messages, I just didn't want the email to get too large straight away.
[1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989 [2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html [3] - https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
RHEL 6.4 pam-1.1.1-13 sssd-1.9.2-82
--- first off here is what I added to the my.great.domain zone in BIND ---
_ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02
_kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02
The rest of the files below are on linux-server.
--- /etc/pam.d/system-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass remember=24 use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/pam.d/password-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/krb5.conf ---
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MY.GREAT.DOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
[realms] MY.GREAT.DOMAIN = { }
[domain_realm] my.great.domain = MY.GREAT.DOMAIN .my.great.domain = MY.GREAT.DOMAIN
--- /etc/krb5.keytab ---
# This has the keytab from the 2008 AD domain controller.
--- /etc/sssd/sssd.conf ---
[domain/default]
cache_credentials = False krb5_realm = MY.GREAT.DOMAIN auth_provider = krb5 chpass_provider = krb5 debug_level = 9
[sssd] config_file_version = 2 domains = MY.GREAT.DOMAIN services = nss, pam debug_level = 9
[nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9
[pam] reconnection_retries = 3 debug_level = 9
[domain/MY.GREAT.DOMAIN] enumerate = True cache_credentials = False id_provider = ldap access_provider = ldap ldap_access_filter = memberOf=CN=Linux Admins,OU=Security Groups,OU=Groups,OU=MYGROUP,DC=my,DC=great,DC=domain auth_provider = krb5 chpass_provider = krb5 debug_level = 9
ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_sasl_mech = gssapi ldap_sasl_authid = host/linux-server.my.great.domain@MY.GREAT.DOMAIN ldap_uri = ldap://dc01.my.great.domain/,ldap://dc02.my.great.domain
ldap_user_name = sAMAccountName ldap_user_object_class = person ldap_group_object_class = group ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos = displayName
ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_ticket_lifetime = 86400
krb5_realm = MY.GREAT.DOMAIN #krb5_kpasswd = dc01.my.great.domain #krb5_server = dc01.my.great.domain,dc02.my.great.domain krb5_validate = true krb5_canonicalize = false krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_use_fast = try
--- grep -i error /var/log/secure ---
May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): Password change failed for user bryan.harris.adm: 20 (Authentication token manipulation error
--- /var/log/sss/* ---
I am not sure what's relevant, I just posted some error lines. If needed I can (A) truncate the files + (B) re-run passwd and then post the results. I ignored the DNS errors after I noticed in the logs that it's correctly resolving everything afterwords because it does a lookup on the SRV record (which I added to my BIND server), or at least it looks to be correct AFAICS.
ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ... sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ... sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]: Domain name not found
Thanks in advance, Bryan
sssd-users@lists.fedorahosted.org
-
Bryan Harris -
Harris, Bryan L. -
Jakub Hrozek