#1431 Set "krb5_canonicalize = False" for password change to work
Closed: Fixed None Opened 10 years ago by kaushikub.

Try to change a user password:

# ssh -l testuser1 localhost
testuser1@localhost's password: 
Last login: Wed Jul 18 19:59:10 2012 from localhost
-sh-4.2$ passwd
Changing password for user testuser1.
Current Password: 
passwd: Authentication token manipulation error

Change Password fails.

/var/log/secure shows:

Jul 18 19:59:55 dhcp201-207 passwd: pam_sss(passwd:chauthtok): system info: [KDC reply did not match expectations]
Jul 18 19:59:55 dhcp201-207 passwd: pam_sss(passwd:chauthtok): Authentication failed for user testuser1: 4 (System error)

Setting "krb5_canonicalize = False" in the domain section allows password change. This should be False by default in the AD Provider.

However, even with this setting, password change prompt doesn't appear for an user with "Expired password" or a user with "User must change password on next logon".

Fixed by e82832a

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 5
resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @kaushikub:
- Issue set to the milestone: SSSD 1.9.0 beta 5

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2473

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.