-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem with transition user's credentials through pam-stack #5418
Comments
i added debug info into pam_sss() in the begining at once after get_pam_items() Here i used "use_first_pass" parameter:
Here I removed "use_first_pass" parameter from config.In this case i enter the current password manually but the new password is gotten automatically.
|
i belive that pi.authtok should be initialized by PAM_OLDAUTHTOK in get_authtok_for_password_change() when use_first_pass is set in pam configuration |
Hi, thanks for the analysis. You might be right, but I have to figure out how the PAM variables are set in a typical setup where pam_pwquality and pam_unix are called before pam_sss. I thought that the old password in this case was already request by one of the other modules as well, as it is in your case. But I might be wrong. bye, |
@ikerexxe, could you please take a look? |
I'll take a look at it in the following days |
The scenario explained in this ticket fails as if no password was stacked. Currently, sssd (v2.9.1) requests to enter the old password always. If I set @sumit-bose since |
Hi, thanks for looking into this. I guess in the bye, |
Pushed PR: #7500
|
Hello,
i'm not sure my situation is issue or not but i can't see any mistake on my side.It seems there is an issue in case of using use_first_pass parameter when we need to get old password from another module.i would be grateful if somebody could give any advice or clarification.
my stuff and environment:
i have several test hosts(based on Debian and Red Hat) and two test domains FreeIpa and AD each of them includes test user with password q1w2e3r4t5y6. In the both domains the password marked as expired so the first user's login lead to changing current password.
In client host i put this configs on the top of all main pam-configs(just for test to avoid any interaction with other pam-modules):
So i expect that after authentication pam_sss will get the current and new user's password from my_custom_pam.so without any prompt and the process of changing password will be performed automatically without user's participation.
my_custom_pam.so includes two simple functions which provide test user credentials:
When i try to authenticate my test user i get as expected "Password expired. Change your password now." and not expected "Old password not accepted".
According to log
I can't go through chauthtok prelim step and finish password changing
The server can't accept user credentials, but the credentials are absolutely right. Moreover i remove use_first_pass parameter and enter current password manually when pam_sss give a prompt. I mean that i enter the same password and it works, the password is changed successfully in this case.
I got the same result in FreeIpa and Active Directory i use SSSD-2.0.0.
The text was updated successfully, but these errors were encountered: