User cannot change password - [Password change failed. Server message: Failed to update password]

Posted on

We are using RH7 and RDS10.

[user1@rdsserver01 ~]$ passwd
Changing password for user user1.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Failed to update password

passwd: Authentication token is no longer valid; new one required

/var/log/secure
Feb 28 12:08:03 rdsserver01 passwd: pam_unix(passwd:chauthtok): user "user1" does not exist in /etc/passwd
Feb 28 12:08:03 rdsserver01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Failed to update password
Feb 28 12:08:03 rdsserver01 passwd: pam_sss(passwd:chauthtok): Password change failed for user user1: 12 (Authentication token is no longer valid; new one required)

/var/log/sssd/sssd_default.log
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [find_password_expiration_attributes] (0x4000): No password policy requested.
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=user1,ou=Administrators,dc=abcsupport,dc=gte
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_send] (0x2000): ldap simple bind sent, msgid = 1
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New operation 1 timeout 6
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x56295ed10fb0], connected[1], ops[0x56295ecf9310], ldap[0x56295ecfb1b0]
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password Policy Response: expire [445277] grace [-1] error [No error].
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password will expire in [445277] seconds.
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [2.16.840.1.113730.3.4.5].
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password will expire in [445277] seconds.
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_op_destructor] (0x2000): Operation 1 finished
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active.
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_pam_chpass_handler_auth_done] (0x1000): user [uid=user1,ou=Administrators,dc=abcsupport,dc=gte] successfully authenticated.
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_control_create] (0x0080): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_send] (0x2000): ldap_extended_operation sent, msgid = 2
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New operation 2 timeout 6
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x56295ed10fb0], connected[1], ops[0x56295ed10d50], ldap[0x56295ecfb1b0]
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x56295ed10fb0], connected[1], ops[0x56295ed10d50], ldap[0x56295ecfb1b0]
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (0x0200): Server returned no controls.
(Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation result: Constraint violation(19), Failed to update password

/var/log/dirsrv/slapd-rdsserver01/access
[28/Feb/2018:12:08:03.214755495 -0500] conn=77834 op=87 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=55480)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
[28/Feb/2018:12:08:03.215226318 -0500] conn=77834 op=87 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[28/Feb/2018:12:08:03.219191886 -0500] conn=77834 op=88 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=897)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
[28/Feb/2018:12:08:03.219424932 -0500] conn=77834 op=88 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[28/Feb/2018:12:08:03.223051902 -0500] conn=77834 op=89 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=13802)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
[28/Feb/2018:12:08:03.223268695 -0500] conn=77834 op=89 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[28/Feb/2018:12:08:03.226842227 -0500] conn=77834 op=90 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=36709)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
[28/Feb/2018:12:08:03.227067280 -0500] conn=77834 op=90 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[28/Feb/2018:12:08:03.230969027 -0500] conn=77834 op=91 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=62775)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
[28/Feb/2018:12:08:03.231158189 -0500] conn=77834 op=91 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[28/Feb/2018:12:08:03.234903934 -0500] conn=77834 op=92 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=55659)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
[28/Feb/2018:12:08:03.235072946 -0500] conn=77834 op=92 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[28/Feb/2018:12:08:03.238685582 -0500] conn=77834 op=93 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=49312)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
[28/Feb/2018:12:08:03.238928242 -0500] conn=77834 op=93 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[28/Feb/2018:12:08:03.341706968 -0500] conn=77856 op=10 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(uid=user1)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn modifyTimestamp

modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap sshpublickey mail"
[28/Feb/2018:12:08:03.342428144 -0500] conn=77856 op=10 RESULT err=0 tag=101 nentries=1 etime=0
[28/Feb/2018:12:08:03.352369504 -0500] conn=77856 op=11 SRCH base="ou=groups,dc=abcsupport,dc=gte" scope=2 filter="(&(memberUid=user1)(objectClass=posixGroup)(cn=)(&(gidNumber=)(!(gidNumber=0))))" attrs="objectClass cn userPassword gidNumber modifyTimestamp modifyTimestamp"
[28/Feb/2018:12:08:03.352822307 -0500] conn=77856 op=11 RESULT err=0 tag=101 nentries=1 etime=0 notes=U,P pr_idx=0 pr_cookie=-1
[28/Feb/2018:12:08:03.359771049 -0500] conn=77861 fd=170 slot=170 SSL connection from x.x.x.13 to x.x.x.13
[28/Feb/2018:12:08:03.367629350 -0500] conn=77861 TLS1.2 256-bit AES
[28/Feb/2018:12:08:03.368944453 -0500] conn=77861 op=0 BIND dn="uid=user1,ou=Administrators,dc=abcsupport,dc=gte" method=128 version=3
[28/Feb/2018:12:08:03.370680939 -0500] conn=77861 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user1,ou=administrators,dc=abcsupport,dc=gte"
[28/Feb/2018:12:08:03.371914731 -0500] conn=77861 op=1 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"
[28/Feb/2018:12:08:03.373998261 -0500] conn=77861 op=1 RESULT err=19 tag=120 nentries=0 etime=0
[28/Feb/2018:12:08:03.375051541 -0500] conn=77861 op=2 UNBIND
[28/Feb/2018:12:08:03.375074425 -0500] conn=77861 op=2 fd=170 closed - U1
[28/Feb/2018:12:08:03.383351108 -0500] conn=77860 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[28/Feb/2018:12:08:03.383987776 -0500] conn=77860 op=5 RESULT err=0 tag=120 nentries=0 etime=0
[28/Feb/2018:12:08:03.384498796 -0500] conn=77860 op=6 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[28/Feb/2018:12:08:03.386389593 -0500] conn=77860 op=6 RESULT err=0 tag=120 nentries=0 etime=0

/etc/pam.d/system-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=604800 fail_interval=900
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=604800 fail_interval=900
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=8 maxrepeat=3 type=
password required pam_pwhistory.so use_authtok remember=5
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_lastlog.so showfailed
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so

/etc/pam.d/password-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = default
reconnection_retries = 3
sbus_timeout = 30
debug_level = 9

SSSD will not start if you do not configure any domains.

Add new domain configurations as [domain/] sections, and

then add the list of domains (in the order you want them to be

queried) to the "domains" attribute below and uncomment it.

; domains = LDAP

[nss]
filter_groups = root
filter_users = root
debug_level = 9

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pwd_expiration_warning = 7
debug_level = 9

[domain/default]

LDAP Configuration

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_search_base = dc=abcsupport,dc=gte
ldap_group_search_base = ou=groups,dc=abcsupport,dc=gte
ldap_uri = ldaps://rdsserver01.abcsupport.gte:1636,ldaps://rdsserver02.abcsupport.gte:1636

Encryption Settings

ldap_id_use_start_tls = True

ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cipher_suite = TLSv1.2+AES+SHA256+RSA
ldap_tls_reqcert = never

ldap_tls_reqcert = demand

Access Control Settings

access_provider = simple
simple_allow_groups = abc-admins,services,abc-admins,abc-jbosslog

Misc Settings

debug_level = 9
enumerate = True
max_id = 3999
min_id = 2000
pwd_expiration_warning = 7
cache_credentials = False
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com

[sudo]

[autofs]

[ssh]

[pac]