Reset password fail when expired with IDM two factors authentication
Issue
When Red Hat Identity Management is used with two factors authentication OTP and a password has become expired, it's impossible to renew it.
[cylopez@idm ~]$ su - tutu
Password:
Password expired. Change your password now.
Current Password:
Password change failed. Server message: Old password not accepted.
su: Authentication token manipulation error
We see in logs
sept. 17 08:52:31 idm.local [sssd[krb5_child[24835]]][24835]: Password has expired
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): authentication failure; logname=root uid=634400001 euid=0 tty=pts/0 ruser=cylopez rhost= user=tutu
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): received for user tutu: 12 (Authentication token is no longer valid; new one required)
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:account): User info message: Password expired. Change your password now.
sept. 17 08:52:31 idm.local su[24832]: pam_unix(su-l:chauthtok): user "tutu" does not exist in /etc/passwd
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): Authentication failed for user tutu: 4 (System error)
Environment
- Red Hat Identity Management
ipa-server-4.5.x - Red Hat Entreprise Linux 7
sssd-client-1.16.0-19.el7_5.5.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.