Learn more about these different git repos.
Other Git URLs
Description of problem: Trying to do a password change as a LDAP user using pam_sss.so and entering the wrong 'current' password results in: passwd: Authentication token manipulation error which can be interpreted by a end user as a system error rather then the hint of a wrong password. Version-Release number of selected component (if applicable): sssd-client-1.9.2-82.el6 How reproducible: Always Steps to Reproduce: 1. configure ldap server with at least one user 2. configure sssd to use ldap as the id_provider, auth_provider and chpass_provider 3. set sss as provider in /etc/nsswitch.conf 4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide 5. login as the ldap user 6. issue a password change request by running passwd 7. enter a wrong 'current' password Actual results: $ passwd Changing password for user ldapuser. Current Password: passwd: Authentication token manipulation error Expected results: More descriptive message like: Authentication failed for user ldapuser Additional info: * The authentication failure is logged in /var/log/secure as Jul 9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure) * It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR * Similar behavior when using pam_unix with a local user
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=983028 (Red Hat Enterprise Linux 6)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=983028 983028]
I discussed the issue on IRC with Stephen. We came to the conclusion that we should add a quite generic message along the lines of "Old password not accepted". The reason for such a generic message is that it's not quite clear that all the scenarios where the bind with the old password would end up returning PAM_AUTH_ERROR would also mean that the old password was mistyped.
Fields changed
owner: somebody => mzidek
resolution: => fixed status: new => closed
changelog: => When the user enters old password wrong during a password change, the SSSD now prints a more descriptive error message.
Metadata Update from @dpal: - Issue assigned to mzidek - Issue set to the milestone: SSSD 1.10.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3071
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.