After doing some digging, I found a piece of advice that setting 'ChallengeResponseAuthentication yes' in sshd_config would give better error messages. However, it seems to have solved the problem entirely, though I can't say I understand how.
-- Mitch Patenaude
On 1/31/18, 9:19 AM, "Mitch Patenaude" <mpatenaude@xxxxxxxxxxxxxx> wrote:
Hi, following some advice I received here a few months back, I'm trying to get sssd set up for auth with a 389-ds backend. Almost everything works well, except for the ability to change expired passwords. When A user has an expired password, he/she is unable to change it. The exchange looks like:
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user testacct2.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Failed to update password
passwd: Authentication token is no longer valid; new one required
And the entry in /var/log/secure looks like:
Jan 30 16:44:37 ldap01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Failed to update password
Jan 30 16:44:37 ldap01 passwd: pam_sss(passwd:chauthtok): Password change failed for user testacct2: 12 (Authentication token is no longer valid; new one required)
And the associated entry in /etc/pam.d/system-auth is:
password sufficient pam_sss.so use_authtok
I'm hoping that somebody else here has solved this problem.
-- Mitch Patenaude
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
