Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • User cannot change password - [Password change failed. Server message: Failed to update password]

    Posted on

    We are using RH7 and RDS10.

    [user1@rdsserver01 ~]$ passwd
    Changing password for user user1.
    Current Password:
    New password:
    Retype new password:
    Password change failed. Server message: Failed to update password

    passwd: Authentication token is no longer valid; new one required

    /var/log/secure
    Feb 28 12:08:03 rdsserver01 passwd: pam_unix(passwd:chauthtok): user "user1" does not exist in /etc/passwd
    Feb 28 12:08:03 rdsserver01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Failed to update password
    Feb 28 12:08:03 rdsserver01 passwd: pam_sss(passwd:chauthtok): Password change failed for user user1: 12 (Authentication token is no longer valid; new one required)

    /var/log/sssd/sssd_default.log
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [find_password_expiration_attributes] (0x4000): No password policy requested.
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=user1,ou=Administrators,dc=abcsupport,dc=gte
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_send] (0x2000): ldap simple bind sent, msgid = 1
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New operation 1 timeout 6
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x56295ed10fb0], connected[1], ops[0x56295ecf9310], ldap[0x56295ecfb1b0]
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password Policy Response: expire [445277] grace [-1] error [No error].
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password will expire in [445277] seconds.
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [2.16.840.1.113730.3.4.5].
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password will expire in [445277] seconds.
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_op_destructor] (0x2000): Operation 1 finished
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active.
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_pam_chpass_handler_auth_done] (0x1000): user [uid=user1,ou=Administrators,dc=abcsupport,dc=gte] successfully authenticated.
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_control_create] (0x0080): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_send] (0x2000): ldap_extended_operation sent, msgid = 2
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New operation 2 timeout 6
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x56295ed10fb0], connected[1], ops[0x56295ed10d50], ldap[0x56295ecfb1b0]
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x56295ed10fb0], connected[1], ops[0x56295ed10d50], ldap[0x56295ecfb1b0]
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (0x0200): Server returned no controls.
    (Wed Feb 28 12:08:03 2018) [sssd[be[default]]] [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation result: Constraint violation(19), Failed to update password

    /var/log/dirsrv/slapd-rdsserver01/access
    [28/Feb/2018:12:08:03.214755495 -0500] conn=77834 op=87 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=55480)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
    [28/Feb/2018:12:08:03.215226318 -0500] conn=77834 op=87 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
    [28/Feb/2018:12:08:03.219191886 -0500] conn=77834 op=88 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=897)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
    [28/Feb/2018:12:08:03.219424932 -0500] conn=77834 op=88 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
    [28/Feb/2018:12:08:03.223051902 -0500] conn=77834 op=89 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=13802)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
    [28/Feb/2018:12:08:03.223268695 -0500] conn=77834 op=89 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
    [28/Feb/2018:12:08:03.226842227 -0500] conn=77834 op=90 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=36709)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
    [28/Feb/2018:12:08:03.227067280 -0500] conn=77834 op=90 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
    [28/Feb/2018:12:08:03.230969027 -0500] conn=77834 op=91 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=62775)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
    [28/Feb/2018:12:08:03.231158189 -0500] conn=77834 op=91 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
    [28/Feb/2018:12:08:03.234903934 -0500] conn=77834 op=92 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=55659)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
    [28/Feb/2018:12:08:03.235072946 -0500] conn=77834 op=92 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
    [28/Feb/2018:12:08:03.238685582 -0500] conn=77834 op=93 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(ipServicePort=49312)(objectClass=ipService))" attrs="objectClass cn ipServicePort ipServiceProtocol modifyTimestamp"
    [28/Feb/2018:12:08:03.238928242 -0500] conn=77834 op=93 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
    [28/Feb/2018:12:08:03.341706968 -0500] conn=77856 op=10 SRCH base="dc=abcsupport,dc=gte" scope=2 filter="(&(uid=user1)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn modifyTimestamp

    modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap sshpublickey mail"
    [28/Feb/2018:12:08:03.342428144 -0500] conn=77856 op=10 RESULT err=0 tag=101 nentries=1 etime=0
    [28/Feb/2018:12:08:03.352369504 -0500] conn=77856 op=11 SRCH base="ou=groups,dc=abcsupport,dc=gte" scope=2 filter="(&(memberUid=user1)(objectClass=posixGroup)(cn=)(&(gidNumber=)(!(gidNumber=0))))" attrs="objectClass cn userPassword gidNumber modifyTimestamp modifyTimestamp"
    [28/Feb/2018:12:08:03.352822307 -0500] conn=77856 op=11 RESULT err=0 tag=101 nentries=1 etime=0 notes=U,P pr_idx=0 pr_cookie=-1
    [28/Feb/2018:12:08:03.359771049 -0500] conn=77861 fd=170 slot=170 SSL connection from x.x.x.13 to x.x.x.13
    [28/Feb/2018:12:08:03.367629350 -0500] conn=77861 TLS1.2 256-bit AES
    [28/Feb/2018:12:08:03.368944453 -0500] conn=77861 op=0 BIND dn="uid=user1,ou=Administrators,dc=abcsupport,dc=gte" method=128 version=3
    [28/Feb/2018:12:08:03.370680939 -0500] conn=77861 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user1,ou=administrators,dc=abcsupport,dc=gte"
    [28/Feb/2018:12:08:03.371914731 -0500] conn=77861 op=1 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"
    [28/Feb/2018:12:08:03.373998261 -0500] conn=77861 op=1 RESULT err=19 tag=120 nentries=0 etime=0
    [28/Feb/2018:12:08:03.375051541 -0500] conn=77861 op=2 UNBIND
    [28/Feb/2018:12:08:03.375074425 -0500] conn=77861 op=2 fd=170 closed - U1
    [28/Feb/2018:12:08:03.383351108 -0500] conn=77860 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
    [28/Feb/2018:12:08:03.383987776 -0500] conn=77860 op=5 RESULT err=0 tag=120 nentries=0 etime=0
    [28/Feb/2018:12:08:03.384498796 -0500] conn=77860 op=6 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
    [28/Feb/2018:12:08:03.386389593 -0500] conn=77860 op=6 RESULT err=0 tag=120 nentries=0 etime=0

    /etc/pam.d/system-auth

    %PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth required pam_faillock.so preauth silent audit deny=3 unlock_time=604800 fail_interval=900
    auth sufficient pam_unix.so try_first_pass
    auth sufficient pam_sss.so use_first_pass
    auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=604800 fail_interval=900
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so

    account required pam_faillock.so
    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid 500 quiet
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=8 maxrepeat=3 type=
    password required pam_pwhistory.so use_authtok remember=5
    password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session required pam_lastlog.so showfailed
    session optional pam_mkhomedir.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session sufficient pam_sss.so
    session required pam_unix.so

    /etc/pam.d/password-auth

    %PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth [default=1 success=ok] pam_localuser.so
    auth [success=done ignore=ignore default=die] pam_unix.so try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet_success
    auth sufficient pam_sss.so forward_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid 500 quiet
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass retry=3 type=
    password sufficient pam_unix.so md5 shadow try_first_pass use_authtok
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session optional pam_sss.so

    sssd.conf

    [sssd]
    services = nss, pam
    config_file_version = 2
    domains = default
    reconnection_retries = 3
    sbus_timeout = 30
    debug_level = 9

    SSSD will not start if you do not configure any domains.

    Add new domain configurations as [domain/] sections, and

    then add the list of domains (in the order you want them to be

    queried) to the "domains" attribute below and uncomment it.

    ; domains = LDAP

    [nss]
    filter_groups = root
    filter_users = root
    debug_level = 9

    [pam]
    reconnection_retries = 3
    offline_credentials_expiration = 2
    offline_failed_login_attempts = 3
    offline_failed_login_delay = 5
    pwd_expiration_warning = 7
    debug_level = 9

    [domain/default]

    LDAP Configuration

    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    ldap_schema = rfc2307
    ldap_search_base = dc=abcsupport,dc=gte
    ldap_group_search_base = ou=groups,dc=abcsupport,dc=gte
    ldap_uri = ldaps://rdsserver01.abcsupport.gte:1636,ldaps://rdsserver02.abcsupport.gte:1636

    Encryption Settings

    ldap_id_use_start_tls = True

    ldap_tls_cacertdir = /etc/openldap/cacerts
    ldap_tls_cipher_suite = TLSv1.2+AES+SHA256+RSA
    ldap_tls_reqcert = never

    ldap_tls_reqcert = demand

    Access Control Settings

    access_provider = simple
    simple_allow_groups = abc-admins,services,abc-admins,abc-jbosslog

    Misc Settings

    debug_level = 9
    enumerate = True
    max_id = 3999
    min_id = 2000
    pwd_expiration_warning = 7
    cache_credentials = False
    krb5_realm = EXAMPLE.COM
    krb5_server = kerberos.example.com

    [sudo]

    [autofs]

    [ssh]

    [pac]

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2026 Red Hat