SSSD / sssd

Clone

#3109 Wrong pam error code returned for password change in offline mode
Closed: Fixed None Opened 7 years ago by lslebodn.

Closed: Fixed
Reopen Issue

sssd used to inform about password change in offline mode

sh$ passwd puser1
Changing password for user puser1.
System is offline, password change not possible
passwd: Authentication token manipulation error

The pam error code should be 9 and not 6

sssd.conf is minimal

    [sssd]
    services = nss, pam
    domains = LDAP

    [nss]

    [pam]

    [domain/LDAP]
    id_provider = ldap
    ldap_uri = ldaps://$SERVER
    ldap_search_base = $DS_BASE_DN
    ldap_tls_cacert = /etc/openldap/certs/cacert.asc

Redproducer:

  • start sssd
  • authenticate with test_user in online mode
  • block access to LDAP
  • try to change password for user
    passwd test_user

Expected result:

sh# grep -E "pam_dp|pam_print_data" /var/log/sssd/sssd_pam.log
[sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
[sssd[pam]] [pam_print_data] (0x0100): domain: not set
[sssd[pam]] [pam_print_data] (0x0100): user: puser1
[sssd[pam]] [pam_print_data] (0x0100): service: passwd
[sssd[pam]] [pam_print_data] (0x0100): tty: pts/0
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: not set
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15559
[sssd[pam]] [pam_print_data] (0x0100): logon name: puser1
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
[sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
[sssd[pam]] [pam_print_data] (0x0100): domain: LDAP
[sssd[pam]] [pam_print_data] (0x0100): user: puser1
[sssd[pam]] [pam_print_data] (0x0100): service: passwd
[sssd[pam]] [pam_print_data] (0x0100): tty: pts/0
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: not set
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15559
[sssd[pam]] [pam_print_data] (0x0100): logon name: puser1
[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [9 (Authentication service cannot retrieve authentication info)][LDAP]

Current result:

sh# grep -E "pam_dp|pam_print_data" /var/log/sssd/sssd_pam.log
[sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
[sssd[pam]] [pam_print_data] (0x0100): domain: not set
[sssd[pam]] [pam_print_data] (0x0100): user: puser1
[sssd[pam]] [pam_print_data] (0x0100): service: passwd
[sssd[pam]] [pam_print_data] (0x0100): tty: pts/0
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: not set
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 17140
[sssd[pam]] [pam_print_data] (0x0100): logon name: puser1
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
[sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
[sssd[pam]] [pam_print_data] (0x0100): domain: LDAP
[sssd[pam]] [pam_print_data] (0x0100): user: puser1@ldap
[sssd[pam]] [pam_print_data] (0x0100): service: passwd
[sssd[pam]] [pam_print_data] (0x0100): tty: pts/0
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: not set
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 17140
[sssd[pam]] [pam_print_data] (0x0100): logon name: puser1
[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][LDAP]

This chage was introduced by commit dea636a DP: Switch to new interface

Fields changed

owner: somebody => pcech

Fields changed

status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.1

Fields changed

patch: 0 => 1

master:

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.14.1
7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4142

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
critical
defect
SSSD
1.14.0
None
0
1
https://bugzilla.redhat.com/show_bug.cgi?id=1361563
0
0
None
None
None
0
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.