hi,
my journey to server policies has begun. I'm testing with a single user. I get warning but I can't change password:
####################################################################### Last login: Mon Jul 2 12:11:07 2012 from a4badba022d5.example.net WARNING: Your password has expired. You must change your password now and login again! Current Password: passwd: Authentication token manipulation error passwd: password unchanged Connection to cprli0554 closed. e10000@cprli0555:~$ #######################################################################
relevant info in logs:
####################################################################### (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [sdap_pam_chpass_handler] (0x0040): starting password change request for user [a10023]. (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net] (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net] (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler] (0x0100): Got request with the following data
#######################################################################
What I I'm missing?
Ask for further info if you need it,
àngel
On Mon, Jul 02, 2012 at 12:21:41PM +0200, Angel Bosch wrote:
hi,
my journey to server policies has begun. I'm testing with a single user. I get warning but I can't change password:
####################################################################### Last login: Mon Jul 2 12:11:07 2012 from a4badba022d5.example.net WARNING: Your password has expired. You must change your password now and login again! Current Password: passwd: Authentication token manipulation error passwd: password unchanged Connection to cprli0554 closed. e10000@cprli0555:~$ #######################################################################
If you are not asked for a new password I think you pam configuration might need some fixing. If you have a line like
password sufficient pam_sss.so use_authtok
in you configuration there should be a pam module to locally check the new password before, like:
password requisite pam_cracklib.so try_first_pass retry=3 type=
If you do not want to use a local password checker 'use_authtok' must be removed so that pam_sss asks for a new password.
My config looks like
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
HTH
bye, Sumit
relevant info in logs:
####################################################################### (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [sdap_pam_chpass_handler] (0x0040): starting password change request for user [a10023]. (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net] (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net] (Mon Jul 2 12:15:29 2012) [sssd[be[example.net]]] [be_pam_handler] (0x0100): Got request with the following data
#######################################################################
What I I'm missing?
Ask for further info if you need it,
àngel
sssd-users mailing list sssd-users@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-users
De: "Sumit Bose" sbose@redhat.com If you are not asked for a new password I think you pam configuration might need some fixing. If you have a line like
password sufficient pam_sss.so use_authtok
in you configuration there should be a pam module to locally check the new password before, like:
password requisite pam_cracklib.so try_first_pass retry=3 type=
you're right, I was missing some password checker. I've installed pam cracklib and now I'm getting an error about access rights.
shouldn't be user able to change his own password?
this is the excerpt:
############################################################################################## Jul 2 13:29:55 cprli0554 passwd[5428]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Insufficient access rights Jul 2 13:29:55 cprli0554 passwd[5428]: pam_sss(passwd:chauthtok): Password change failed for user a10023: 20 (Authentication token manipulation error)
##############################################################################################
regards,
àngel
On Mon, Jul 02, 2012 at 01:32:56PM +0200, Angel Bosch wrote:
De: "Sumit Bose" sbose@redhat.com If you are not asked for a new password I think you pam configuration might need some fixing. If you have a line like
password sufficient pam_sss.so use_authtok
in you configuration there should be a pam module to locally check the new password before, like:
password requisite pam_cracklib.so try_first_pass retry=3 type=
you're right, I was missing some password checker. I've installed pam cracklib and now I'm getting an error about access rights.
shouldn't be user able to change his own password?
This depends on the server settings. E.g. for OpenLDAP you have to configure it explicitly, see slapd.access(5) for details.
HTH
bye, Sumit
this is the excerpt:
############################################################################################## Jul 2 13:29:55 cprli0554 passwd[5428]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Insufficient access rights Jul 2 13:29:55 cprli0554 passwd[5428]: pam_sss(passwd:chauthtok): Password change failed for user a10023: 20 (Authentication token manipulation error)
##############################################################################################
regards,
àngel
sssd-users mailing list sssd-users@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-users
De: "Sumit Bose" sbose@redhat.com
shouldn't be user able to change his own password?
This depends on the server settings. E.g. for OpenLDAP you have to configure it explicitly, see slapd.access(5) for details.
I'm using plain 389 DS (no IPA).
I'm able to change passwords with admin user (ex: Directory Manager) but not with regular users.
I though default ACIs allow users to change their own attributes.
Can you point me to right docs?
àngel
On Mon, Jul 02, 2012 at 01:48:40PM +0200, Angel Bosch wrote:
De: "Sumit Bose" sbose@redhat.com
shouldn't be user able to change his own password?
This depends on the server settings. E.g. for OpenLDAP you have to configure it explicitly, see slapd.access(5) for details.
I'm using plain 389 DS (no IPA).
I'm able to change passwords with admin user (ex: Directory Manager) but not with regular users.
I though default ACIs allow users to change their own attributes.
Can you point me to right docs?
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administ...
bye, Sumit
àngel _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-users
De: "Sumit Bose" sbose@redhat.com http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administ...
It works.
I've made an ACI similar to the one on the example and it works now. I'll play with policies a little bit these days.
I've detected a localization problem that occurs in GDM and Lightdm so I believe that it's in sssd. when user is asked for change his password some strings are translated and some others aren't. is this a known problem in sssd?
àngel
On Mon, 2012-07-02 at 14:55 +0200, Angel Bosch wrote:
De: "Sumit Bose" sbose@redhat.com >
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administ...
It works.
I've made an ACI similar to the one on the example and it works now. I'll play with policies a little bit these days.
I've detected a localization problem that occurs in GDM and Lightdm so I believe that it's in sssd. when user is asked for change his password some strings are translated and some others aren't. is this a known problem in sssd?
Well, it depends on the strings. We don't have an official translator. We have a public Transifex instance that people can contribute to[1]. Currently, the only complete translation we have is for Ukrainian. Beyond that, we have partial translations for thirteen other languages.
We're always looking for help with translations. The Transifex instance is easy to use, so if you or any of your colleagues would like to help us out, they can contribute translations directly through the Transifex web application.
De: "Stephen Gallagher" sgallagh@redhat.com Well, it depends on the strings. We don't have an official translator. We have a public Transifex instance that people can contribute to[1]. Currently, the only complete translation we have is for Ukrainian. Beyond that, we have partial translations for thirteen other languages.
We're always looking for help with translations. The Transifex instance is easy to use, so if you or any of your colleagues would like to help us out, they can contribute translations directly through the Transifex web application.
I've translated sssd to catalan. my transifex user is muzzol and now I'm waiting for catalan team to review my translation. once is polished I'll send it.
regards,
muzzol
On Tue, 2012-07-03 at 10:12 +0200, Angel Bosch wrote:
De: "Stephen Gallagher" sgallagh@redhat.com Well, it depends on the strings. We don't have an official translator. We have a public Transifex instance that people can contribute to[1]. Currently, the only complete translation we have is for Ukrainian. Beyond that, we have partial translations for thirteen other languages.
We're always looking for help with translations. The Transifex instance is easy to use, so if you or any of your colleagues would like to help us out, they can contribute translations directly through the Transifex web application.
I've translated sssd to catalan. my transifex user is muzzol and now I'm waiting for catalan team to review my translation. once is polished I'll send it.
Thanks! I should warn you that we're not yet in string freeze for 1.9.0, so at the end of this month when we freeze, I'm going to be pushing out new strings for the manpages and new options going into 1.9.0.
De: "Stephen Gallagher" sgallagh@redhat.com Thanks! I should warn you that we're not yet in string freeze for 1.9.0, so at the end of this month when we freeze, I'm going to be pushing out new strings for the manpages and new options going into 1.9.0.
ok, I've done 100% in current state of main.
I'm also working on manpage strings, bit it'll take a little bit more to finish.
àngel
De: "Angel Bosch" abosch@cilma.net A: "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Enviat: dimarts, 3 de juliol de 2012 14:07:52 Assumpte: Re: [SSSD-users] server side password policy error
De: "Stephen Gallagher" sgallagh@redhat.com Thanks! I should warn you that we're not yet in string freeze for 1.9.0, so at the end of this month when we freeze, I'm going to be pushing out new strings for the manpages and new options going into 1.9.0.
ok, I've done 100% in current state of main.
I'm also working on manpage strings, bit it'll take a little bit more to finish.
I'm trying to test my translation. I've tried compiling .mo file and putting it in /usr/share/locale/ca/LC_MESSAGES/sssd.mo but messages are still in english.
Is there any way to test my locales?
àngel
On Wed, 2012-07-04 at 12:43 +0200, Angel Bosch wrote:
De: "Angel Bosch" abosch@cilma.net A: "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Enviat: dimarts, 3 de juliol de 2012 14:07:52 Assumpte: Re: [SSSD-users] server side password policy error
De: "Stephen Gallagher" sgallagh@redhat.com Thanks! I should warn you that we're not yet in string freeze for 1.9.0, so at the end of this month when we freeze, I'm going to be pushing out new strings for the manpages and new options going into 1.9.0.
ok, I've done 100% in current state of main.
I'm also working on manpage strings, bit it'll take a little bit more to finish.
I'm trying to test my translation. I've tried compiling .mo file and putting it in /usr/share/locale/ca/LC_MESSAGES/sssd.mo but messages are still in english.
Is there any way to test my locales?
After you make your changes, copy the .po file from Transifex and drop it in src/man/po and then run './configure && make' from the root of the source tree.
This will compile the code and the translations, then you can do: 'man src/man/ca/<manpage>' and read it.
sssd-users@lists.fedorahosted.org
-
Angel Bosch -
Stephen Gallagher -
Sumit Bose