#1431 Set "krb5_canonicalize = False" for password change to work
Closed: Fixed None Opened 7 years ago by kaushikub.

Try to change a user password:

# ssh -l testuser1 localhost
testuser1@localhost's password: 
Last login: Wed Jul 18 19:59:10 2012 from localhost
-sh-4.2$ passwd
Changing password for user testuser1.
Current Password: 
passwd: Authentication token manipulation error

Change Password fails.

/var/log/secure shows:

Jul 18 19:59:55 dhcp201-207 passwd: pam_sss(passwd:chauthtok): system info: [KDC reply did not match expectations]
Jul 18 19:59:55 dhcp201-207 passwd: pam_sss(passwd:chauthtok): Authentication failed for user testuser1: 4 (System error)

Setting "krb5_canonicalize = False" in the domain section allows password change. This should be False by default in the AD Provider.

However, even with this setting, password change prompt doesn't appear for an user with "Expired password" or a user with "User must change password on next logon".

Fixed by e82832a

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 5
resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @kaushikub:
- Issue set to the milestone: SSSD 1.9.0 beta 5

2 years ago

Login to comment on this ticket.