Centos 6.5 SSSD / Kerberos and password changes
G'day all
Running Centos 6.5, sssd and am using Kerberos for authentication. Have installed the standard Kerberos packages in addition to the oddjob* packages.
authconfig --enablesssd --enablesssdauth --disableldap --disableldapauth --disablekrb5 --update
This sets up pam_sss.o as the main pam module that does all the work. Users can login, Kerberos tickets are created properly, and they get all the appropriate uid/gid/homedirs etc... all that works fine. Note: I am not binding to the domain, so no keytab files are needed. My issue now is when a users AD account password expires, the user is notified when they login but password changes fail because of password complexity failures. Despite the passwords having the correct complexity, something in the layers of software is not permitting the password change. It *should* be handled by the KDC/Domain controllers.
I have a hunch that it has to do with the authtok settings in the sssd.conf file, but cannot find a solution despite trying multiple settings.
Has anyone had experience with Kerberos, sssd on Centos >= 6.5 Shed some light on this issue and you will be rewarded handsomely.
|