LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
Reload this Page Centos 6.5 SSSD / Kerberos and password changes
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices


Reply
  Search this Thread
Old 10-16-2014, 12:11 PM   #1
rocker65
LQ Newbie
 
Registered: Feb 2013
Location: Ottawa Canada
Distribution: Centos 6
Posts: 19

Rep: Reputation: Disabled
Centos 6.5 SSSD / Kerberos and password changes

G'day all

Running Centos 6.5, sssd and am using Kerberos for authentication. Have installed the standard Kerberos packages in addition to the oddjob* packages.

authconfig --enablesssd --enablesssdauth --disableldap --disableldapauth --disablekrb5 --update

This sets up pam_sss.o as the main pam module that does all the work. Users can login, Kerberos tickets are created properly, and they get all the appropriate uid/gid/homedirs etc... all that works fine. Note: I am not binding to the domain, so no keytab files are needed. My issue now is when a users AD account password expires, the user is notified when they login but password changes fail because of password complexity failures. Despite the passwords having the correct complexity, something in the layers of software is not permitting the password change. It *should* be handled by the KDC/Domain controllers.

I have a hunch that it has to do with the authtok settings in the sssd.conf file, but cannot find a solution despite trying multiple settings.

Has anyone had experience with Kerberos, sssd on Centos >= 6.5 Shed some light on this issue and you will be rewarded handsomely.
 
Old 10-16-2014, 02:13 PM   #2
rocker65
LQ Newbie
 
Registered: Feb 2013
Location: Ottawa Canada
Distribution: Centos 6
Posts: 19

Original Poster
Rep: Reputation: Disabled
I just want to add that its difficult for me to post a full sssd.conf file and log information as its on a secure network. For brevity, here is the output of an attempted password change, /var/log/secure:

pam_unix(passwd:chauthtok): user userbob does not exist in /etc/passwd
pam_sss(passwd:chauthtok) system info [Generic error(See e-text)]
pam_sss(passwd:chauthtok) User info message: Password change failed complexity etc.........

So pam_unix gives it a go and see's its not a local account, then pam_sss processes the user's password change request. And fails. What the heck is e-text?

The user experience is odd as well. The user is prompted to enter current password, after which is prompted for a new password twice, and all over again twice. Its the second and final time that the error message is displayed that the password doesn't match complexity requirements. On the users tty. To me, there's a PAM issue. authconfig is likely missing a flag, not sure which one.

Enough rambling on
 
  


Reply

Tags
kernel config



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSO SSSD/Kerberos/LDAP with Active Directory yuanjunliang Linux - Server 1 09-13-2013 02:59 PM
LDAP/SSSD with password policy overlays: possible to completely lock out accounts? btmiller Linux - Server 4 03-26-2013 06:45 AM
Kerberos/OpenLDAP/ActiveDirectory/sssd configuration problems EmrldDrgn Linux - General 1 12-11-2012 02:09 PM
SSSD/Kerberos/LDAP- Permission denied using ssh R09u3Bull Linux - Server 6 11-16-2012 01:04 AM
Specifying LDAP password format for SSSD in CentOS 6.2 TomL Linux - Enterprise 3 06-27-2012 06:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop

All times are GMT -5. The time now is 04:00 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration