[Pkg-sssd-devel] Bug#928286: libpam-sss: passwd change does not prompt for new passwd unless using pam_sss.so prompt_always
J. Pfennig
ingo at j-pfennig.de
Wed May 1 10:20:46 BST 2019
Package: libpam-sss
Version: 1.16.3-3.1
Severity: normal
Dear Maintainer,
problem: changing SAMBA AD DC passwd using SSSD with AD providers
When user runs 'passwd' the old pw is prompted for and validated but
not prompt for a new pw is shows. SSSD log and source code indicate
that pam_sss.so returns an empty authtok.
outcome:
User cannot change password (unless using samba-tool).
work-around:
Using pam_sss.so prompt_always in common-auth.
common-auth (autogenerated by pam-auth-config and patched):
...
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password sufficient pam_sss.so prompt_always
#password sufficient pam_sss.so use_authtok
# here's the fallback if no module succeeds
....
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpam-sss depends on:
ii libc6 2.28-8
ii libpam-pwquality 1.4.0-3
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
Versions of packages libpam-sss recommends:
pn sssd <none>
libpam-sss suggests no packages.
-- no debconf information
More information about the Pkg-sssd-devel
mailing list