2

I've set up an Ubuntu 16.04 system to join a AD domain following the instruction set here.

I can login with AD users and everything is working correctly there, however AD users are unable to change their passwords either with passwd or kpasswd. I'm not sure what I might not have configured correctly.

Here are my configuration files:

== /etc/pam.d/common-password ==

password        sufficient                      pam_sss.so
password        required                        pam_cracklib.so retry=6 minlen=9 difok=1 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password        [success=1 default=ignore]      pam_unix.so obscure try_first_pass sha512
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

== /etc/sssd/sssd.conf ==

[sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam

[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = my.domain.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad

auth_provider = ad
chpass_provider = ad
ldap_schema = ad
dyndns_update = true
dyndsn_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
krb5_use_enterprise_principal = false

Any help would be greatly appreciated. I've been googling for several hours no with no luck...

EDIT:
Here's what I'm seeing in the terminal: 

cypher@ubuVB2:~$ passwd
Current Password: 
New Password: 
Reenter new Password: 
Password change failed. Server message: Please make sure the password meets the complexity constraints.
New password: 
Retype new password: 
passwd: Authentication token manipulation error
passwd: password unchanged

I'm certain that the password I'm trying to set meets the complexity requirements, so this is rather odd...

cypher
  • 21

2 Answers2

2

The password complexity message is a bit generic, it just means that SSSD attempted to change the password, but for one reason or another the AD DC wouldn't let it. We use a generic message, because the password complexity is the most common one. If you enable debug_level=10 in the domain section, and then run the password change, the krb5_child.log file under /var/log/sssd would tell you the real reason. Don't forget to reset the debug_level back after you're done with the test, because debug_level=10 is quite verbose.

jhrozek
  • 136
1

I know this question is old, but I figured I would offer up an explanation as to why you received the error "Password change failed. Server message: Please make sure the password meets the complexity constraints."

The GPO security settings on your Active Directory server were most likely default or possibly customized by the AD Administrator.

If you look under the "Default Domain Policy" settings, you will see something like: ad_default_domain_policy

You hit one of the constraints within this policy while attempting to change your password. This is why is started to work after waiting a period of time.

Stephen Flynn
  • 11
  • 1