Reset password fail when expired with IDM two factors authentication
Issue
When Red Hat Identity Management is used with two factors authentication OTP and a password has become expired, it's impossible to renew it.
[cylopez@idm ~]$ su - tutu
Password:
Password expired. Change your password now.
Current Password:
Password change failed. Server message: Old password not accepted.
su: Authentication token manipulation error
We see in logs
sept. 17 08:52:31 idm.local [sssd[krb5_child[24835]]][24835]: Password has expired
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): authentication failure; logname=root uid=634400001 euid=0 tty=pts/0 ruser=cylopez rhost= user=tutu
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:auth): received for user tutu: 12 (Authentication token is no longer valid; new one required)
sept. 17 08:52:31 idm.local su[24832]: pam_sss(su-l:account): User info message: Password expired. Change your password now.
sept. 17 08:52:31 idm.local su[24832]: pam_unix(su-l:chauthtok): user "tutu" does not exist in /etc/passwd
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
sept. 17 08:52:35 idm.local su[24832]: pam_sss(su-l:chauthtok): Authentication failed for user tutu: 4 (System error)
Environment
- Red Hat Identity Management
ipa-server-4.5.x - Red Hat Entreprise Linux 7
sssd-client-1.16.0-19.el7_5.5.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
