#1827 Cannot change expired password of an AD user
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 912470

Description of problem:
1. creating an AD user account with expired password (change at first login)
2. Joining AD domain with realm

I'm unable to change the password of the user:
# ssh SECURITY\\thrix@localhost
SECURITY\thrix@localhost's password:
Password expired. Change your password now.
org.freedesktop.DBus.Error.ServiceUnknown: The name com.redhat.oddjob_mkhomedir
was not provided by any .service files
Last failed login: Thu Feb 14 17:01:29 CET 2013 from localhost on ssh:notty
There were 6 failed login attempts since the last successful login.
Last login: Wed Feb 13 17:52:17 2013 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user SECURITY\thrix.
Current Password:
New password:
Retype new password:
Password change failed.
passwd: Authentication token manipulation error
Connection to localhost closed.

The secure log shows:
Feb 18 18:31:16 dhcp-25-79 sshd[5427]: debug1: Setting controlling tty using
Feb 18 18:31:16 dhcp-25-79 passwd: pam_unix(passwd:chauthtok): user
"SECURITY\thrix" does not exist in /etc/passwd
Feb 18 18:31:34 dhcp-25-79 passwd: pam_unix(passwd:chauthtok): user
"SECURITY\thrix" does not exist in /etc/passwd
Feb 18 18:31:34 dhcp-25-79 passwd: pam_sss(passwd:chauthtok): system info:
[Generic error (see e-text)]
Feb 18 18:31:34 dhcp-25-79 passwd: pam_sss(passwd:chauthtok): User info
message: Password change failed.
Feb 18 18:31:34 dhcp-25-79 passwd: pam_sss(passwd:chauthtok): Password change
failed for user SECURITY\thrix: 20 (Authentication token manipulation error)
Feb 18 18:31:36 dhcp-25-79 sshd[5426]: debug1: Received SIGCHLD.
Feb 18 18:31:36 dhcp-25-79 sshd[5426]: debug1: session_by_pid: pid 5427

The sssd log shows (with debug_level 0xFFF0) - see attachment

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create AD user
2. realm join your.domain
3. ssh YOUR.REALM\\user@localhost

Actual results:
cannot change password

Expected results:
password change OK and login successful

Additional info:
Disabling SELinux has no effect on this bug

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
selected: =>
testsupdated: => 0

We might want to print a more useful error message after receiving the Generic Error, something like "Please make sure the password meets the complexity constraints".

This is what you get if you use alternative software:
Password does not meet complexity requirements
Your password must be at least 7 characters; cannot repeat any of your previous 24 passwords; must contain capitals, numerals or punctuation; and cannot contain your account or full name; Please type a different password. Type a password which meets these requirements in both text boxes.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11 beta

We decided that this ticket would be just about adding a simple generic message that might hint that the cause of the failure is the server password policies. The actual fix will be done later in the scope of #1837.

Fields changed

milestone: SSSD 1.11 beta => SSSD 1.10.0

Fields changed

milestone: SSSD 1.10.0 => SSSD 1.10.1

Fields changed

changelog: =>
owner: somebody => pbrezina
review: => 0
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Fields changed

changelog: => When the user enters a password that doesn't match the complexity requirements on the server, the SSSD now prints a more helpful error message.

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.10.1

2 years ago

Login to comment on this ticket.