Learn more about these different git repos.
Other Git URLs
Description of problem:
Trying to do a password change as a LDAP user using pam_sss.so and entering
the wrong 'current' password results in: passwd: Authentication token
which can be interpreted by a end user as a system error rather then the hint
of a wrong password.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure ldap server with at least one user
2. configure sssd to use ldap as the id_provider, auth_provider and
3. set sss as provider in /etc/nsswitch.conf
4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide
5. login as the ldap user
6. issue a password change request by running passwd
7. enter a wrong 'current' password
Changing password for user ldapuser.
passwd: Authentication token manipulation error
More descriptive message like:
Authentication failed for user ldapuser
* The authentication failure is logged in /var/log/secure as
Jul 9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure)
* It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR
* Similar behavior when using pam_unix with a local user
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=983028 (Red Hat Enterprise Linux 6)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=983028 983028]
I discussed the issue on IRC with Stephen. We came to the conclusion that we should add a quite generic message along the lines of "Old password not accepted". The reason for such a generic message is that it's not quite clear that all the scenarios where the bind with the old password would end up returning PAM_AUTH_ERROR would also mean that the old password was mistyped.
owner: somebody => mzidek
resolution: => fixed
status: new => closed
changelog: => When the user enters old password wrong during a password change, the SSSD now prints a more descriptive error message.
Metadata Update from @dpal:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.10.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.