[Pkg-sssd-devel] Bug#928286: libpam-sss: passwd change does not prompt for new passwd unless using pam_sss.so prompt_always

[J. Pfennig]

Package: libpam-sss
Version: 1.16.3-3.1
Severity: normal

Dear Maintainer,

problem: changing SAMBA AD DC passwd using SSSD with AD providers

   When user runs 'passwd' the old pw is prompted for and validated but
   not prompt for a new pw is shows. SSSD log and source code indicate
   that pam_sss.so returns an empty authtok.

outcome:

   User cannot change password (unless using samba-tool).

work-around:

   Using pam_sss.so prompt_always in common-auth.

common-auth (autogenerated by pam-auth-config and patched):

...
# here are the per-package modules (the "Primary" block)
password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        sufficient                      pam_sss.so prompt_always
#password       sufficient                      pam_sss.so use_authtok
# here's the fallback if no module succeeds
....

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-sss depends on:
ii  libc6             2.28-8
ii  libpam-pwquality  1.4.0-3
ii  libpam-runtime    1.3.1-5
ii  libpam0g          1.3.1-5

Versions of packages libpam-sss recommends:
pn  sssd  <none>

libpam-sss suggests no packages.

-- no debconf information