Sep 19 11:40:43 dns1 sshd[11197]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 19 11:40:43 dns1 sshd[11197]: Accepted password for ykatabam from 10.64.48.102 port 47713 ssh2 Sep 19 11:40:43 dns1 sshd[11197]: pam_unix(sshd:session): session opened for user ykatabam by (uid=0) Sep 19 11:40:43 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does not exist in /etc/passwd Sep 19 11:41:21 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does not exist in /etc/passwd Sep 19 11:41:22 dns1 sshd[11201]: Received disconnect from 10.64.48.102: 11: disconnected by user Sep 19 11:41:22 dns1 sshd[11197]: pam_unix(sshd:session): session closed for user ykatabam Sep 19 14:40:33 dns1 sshd[11113]: Received disconnect from 10.64.15.231: 11: disconnected by user
Looks like you're right Jakub. >From what I gather: - the server requires a complex password in that cracklib.so, so it was suggested I take that "password requisite cracklib.so" out. - with that gone, it looks kind of like IPA doesn't come into the picture? I uncommented that line, and now it all works again, but I'm back to really-stringent-password-requirement-town. What next? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: [email protected] Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ----- Original Message ----- > From: "Jakub Hrozek" <[email protected]> > To: "Tim Hildred" <[email protected]> > Cc: [email protected] > Sent: Wednesday, September 19, 2012 4:56:42 PM > Subject: Re: [Freeipa-users] Password requirements too stringent > > On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: > > So, commenting out: > > password requisite pam_cracklib.so try_first_pass retry=3 > > type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 > > > > Caused users updating their passwords using ssh to get: > > > > [ykatabam@ykatabam ~]$ ssh > > [email protected] > > [email protected]'s password: > > Permission denied, please try again. > > [email protected]'s password: > > Password expired. Change your password now. > > Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for user ykatabam. > > Current Password: > > Password change failed. Server message: Password change failed > > passwd: Authentication token manipulation error > > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > > > Is that to say that you need at least 1 password requisite? That > > instead of commenting out the password requisite pam_cracklib.so, > > I should have replaced it with something? > > What did /var/log/secure have to say? > > The message sounds to me like it's coming from the server.. > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
