libpam-sss.pam-auth-update needs to be split to properly support password changes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Timo Aaltonen | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Quantal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
password changes don't currently work unless pam_cracklib is installed, or the use_authtok is dropped from the libpam-sss pam-auth-update file.
[Test case]
install sssd & libpam-sss on an LDAP client, then try to change the password of a networked user.
[Regression potential]
This bug has basically forced users to modify the (package owned) file on their own, but the new version should still work in all cases.
--
The priority of the libpam-sss pam-auth-update config file needs to be lower than for pam_unix, so that local users always work, despite the state of the sssd daemon. This causes a problem with the password stack, where pam_sss needs to be above pam_unix, so that if pam_cracklib is installed password changes still work. Otherwise it would be broken in one of the cases, depending on if use_authtok is set or not.
The fix for this is to split the password stack from pam_sss config separate from the rest, and use a higher priority there.
This is fixed in raring, needs an SRU to precise and quantal.
description: | updated |
Changed in sssd (Ubuntu): | |
status: | New → Fix Released |
Changed in sssd (Ubuntu Precise): | |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in sssd (Ubuntu Quantal): | |
importance: | Undecided → Medium |
status: | New → In Progress |
description: | updated |
Changed in sssd (Ubuntu): | |
status: | Fix Released → Fix Committed |
tags: |
added: verification-done removed: verification-needed |
Hello Timo, or anyone else affected,
Accepted sssd into precise-proposed. The package will build now and be available at http:// launchpad. net/ubuntu/ +source/ sssd/1. 8.6-0ubuntu0. 1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed. In either case, details of your testing will help us make a better decision.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance!