Redhat 6.1: LDAP server is 389-console.
Can not change LDAP password when using sssd on rh6 (local user is ok). On other clients (hpux, rh5, suse11) there is no problem for ldap account when changing passwd.
set ldap_pwd_policy = shadow (or none) in sssd.conf does not help. using GUI system-config-authentication doesn't help neither . Please help
Thanks
Tuan
LOG:
$ passwd
Changing password for user tnng.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
$
Secure.log
Dec 27 11:40:10 dnsadmin passwd: pam_unix(passwd:chauthtok): user "tnng" does not exist in /etc/passwd
Dec 27 11:40:40 dnsadmin passwd: pam_unix(passwd:chauthtok): user "tnng" does not exist in /etc/passwd
Dec 27 11:40:40 dnsadmin passwd: pam_sss(passwd:chauthtok): Password change failed for user tnng: 4 (System error)
[root@dnadmin sssd]# tail -f /var/log/sssd/sssd_default.log
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_control_create] (3): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_exop_modify_passwd_send] (4): Executing extended operation
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (5): Server returned no controls.
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (3): ldap_extended_operation result: Constraint violation(19), Failed to update password
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = default
debug_level = 5
debug_to_files = true
[nss]
enum_cache_timeout = 30
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news, nscd
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
enumerate = True
cache_credentials = True
ldap_search_base = dc=NNIT
krb5_realm = EXAMPLE.COM
ldap_uri = ldap://centaur.csn.ng.com,ldap://zpm.csn.ng.com
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
[root@dnsadmin pam.d]# cat sshd
#%PAM-1.0
# This file is initially placed by the NIT standard installation kickstart file.
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account required pam_access.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
Can not change LDAP password when using sssd on rh6 (local user is ok). On other clients (hpux, rh5, suse11) there is no problem for ldap account when changing passwd.
set ldap_pwd_policy = shadow (or none) in sssd.conf does not help. using GUI system-config-authentication doesn't help neither . Please help
Thanks
Tuan
LOG:
$ passwd
Changing password for user tnng.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
$
Secure.log
Dec 27 11:40:10 dnsadmin passwd: pam_unix(passwd:chauthtok): user "tnng" does not exist in /etc/passwd
Dec 27 11:40:40 dnsadmin passwd: pam_unix(passwd:chauthtok): user "tnng" does not exist in /etc/passwd
Dec 27 11:40:40 dnsadmin passwd: pam_sss(passwd:chauthtok): Password change failed for user tnng: 4 (System error)
[root@dnadmin sssd]# tail -f /var/log/sssd/sssd_default.log
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_control_create] (3): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_exop_modify_passwd_send] (4): Executing extended operation
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (5): Server returned no controls.
(Thu Dec 27 13:01:25 2012) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (3): ldap_extended_operation result: Constraint violation(19), Failed to update password
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = default
debug_level = 5
debug_to_files = true
[nss]
enum_cache_timeout = 30
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news, nscd
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
enumerate = True
cache_credentials = True
ldap_search_base = dc=NNIT
krb5_realm = EXAMPLE.COM
ldap_uri = ldap://centaur.csn.ng.com,ldap://zpm.csn.ng.com
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
[root@dnsadmin pam.d]# cat sshd
#%PAM-1.0
# This file is initially placed by the NIT standard installation kickstart file.
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account required pam_access.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth