#2029 passwd returns "Authentication token manipulation error" when entering wrong current password
Closed: Fixed None Opened 6 years ago by dpal.

Description of problem:
Trying to do a password change as a LDAP user using pam_sss.so and entering
the wrong 'current' password results in: passwd: Authentication token
manipulation error

which can be interpreted by a end user as a system error rather then the hint
of a wrong password.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-82.el6

How reproducible:
Always

Steps to Reproduce:
1. configure ldap server with at least one user
2. configure sssd to use ldap as the id_provider, auth_provider and
   chpass_provider
3. set sss as provider in /etc/nsswitch.conf
4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide
5. login as the ldap user
6. issue a password change request by running passwd
7. enter a wrong 'current' password


Actual results:
$ passwd
Changing password for user ldapuser.
Current Password: 
passwd: Authentication token manipulation error

Expected results:
More descriptive message like:
Authentication failed for user ldapuser

Additional info:
 * The authentication failure is logged in /var/log/secure as
Jul  9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure)

* It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR
* Similar behavior when using pam_unix with a local user

I discussed the issue on IRC with Stephen. We came to the conclusion that we should add a quite generic message along the lines of "Old password not accepted". The reason for such a generic message is that it's not quite clear that all the scenarios where the bind with the old password would end up returning PAM_AUTH_ERROR would also mean that the old password was mistyped.

Fields changed

owner: somebody => mzidek

resolution: => fixed
status: new => closed

Fields changed

changelog: => When the user enters old password wrong during a password change, the SSSD now prints a more descriptive error message.

Metadata Update from @dpal:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.10.2

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3071

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata