I've set up an Ubuntu 16.04 system to join a AD domain following the instruction set here.
I can login with AD users and everything is working correctly there, however AD users are unable to change their passwords either with passwd or kpasswd. I'm not sure what I might not have configured correctly.
Here are my configuration files:
== /etc/pam.d/common-password ==
password sufficient pam_sss.so
password required pam_cracklib.so retry=6 minlen=9 difok=1 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
== /etc/sssd/sssd.conf ==
[sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam
[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = my.domain.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
dyndns_update = true
dyndsn_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
krb5_use_enterprise_principal = false
Any help would be greatly appreciated. I've been googling for several hours no with no luck…
EDIT:
Here's what I'm seeing in the terminal:
cypher@ubuVB2:~$ passwd
Current Password:
New Password:
Reenter new Password:
Password change failed. Server message: Please make sure the password meets the complexity constraints.
New password:
Retype new password:
passwd: Authentication token manipulation error
passwd: password unchanged
I'm certain that the password I'm trying to set meets the complexity requirements, so this is rather odd…
Best Answer
The password complexity message is a bit generic, it just means that SSSD attempted to change the password, but for one reason or another the AD DC wouldn't let it. We use a generic message, because the password complexity is the most common one. If you enable debug_level=10 in the domain section, and then run the password change, the krb5_child.log file under /var/log/sssd would tell you the real reason. Don't forget to reset the debug_level back after you're done with the test, because debug_level=10 is quite verbose.