[regression-update] Can't change local users password

Bug #1159983 reported by Lorenz on 2013-03-25
This bug affects 4 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Timo Aaltonen

Bug Description

Changing the password of a local user fails if sssd-password is enabled.
This causes ubiquity to crash with remastered iso image.

[Test case]
install sssd and pamlib-ssd on an Active Directory Client and change a password of a local user.
A LDAP/Kerberos Client maybe work, too.

- Case 1: As local user

$ passwd user
Current Password:
New Password:
Reenter new Password:
passwd: Authentication token manipulation error
passwd: password unchanged

- Case 2: As root

# passwd user
New Password:
Reenter new Password:
passwd: Authentication token manipulation error
passwd: password unchanged

- Case 3: With sudo

$ sudo passwd user
New Password:
Reenter new Password:
passwd: Authentication token manipulation error
passwd: password unchanged

- Case 4: As AD-User

$ passwd
Current Password:
New Password:
Reenter new Password:
passwd: password updated successfully

[Regression potential]
This should be already fixed as mentioned in https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1086272/comments/9

[Possible Solution]
--- /usr/share/pam-configs/sss-password.a 2013-03-25 20:14:31.667200776 +0100
+++ /usr/share/pam-configs/sss-password.b 2013-03-25 20:19:00.675808581 +0100
@@ -1,9 +1,9 @@
 Name: SSS password change
 Default: yes
-Priority: 512
+Priority: 256

 Password-Type: Primary
- sufficient pam_sss.so use_authtok
+ [success=end default=ignore] pam_sss.so
- sufficient pam_sss.so
+ [success=end default=ignore] pam_sss.so


 Description: Ubuntu 12.04.2 LTS
 Release: 12.04
 libpam-sss 1.8.6-0ubuntu0.2

Lorenz (lqb) wrote :

In my opinion it is more important to change the local users password.
The AD password could be changed with kpasswd.

Timo Aaltonen (tjaalton) wrote :

I'll look into it.

Changed in sssd (Ubuntu):
assignee: nobody → Timo Aaltonen (tjaalton)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Timo Aaltonen (tjaalton) wrote :

Some sort of progress.. so there probably isn't any clean way out of this other than libpam-sss depending on libpam-cracklib/libpam-pwquality, which would force having it on top of the password stack. Then we could drop the separate pam-auth-config..

Changed in sssd (Ubuntu):
status: Confirmed → In Progress
Timo Aaltonen (tjaalton) wrote :

Ahem, one obvious solution would be to add 'forward_pass' to Password-Initial on sss-password, could you give it a go? Tried it here and seems to work for both local and remote users, with or without pam_cracklib.

For saucy though I'll probably add the depends to libpam-pwquality and drop the Priority.

Changed in sssd (Ubuntu):
status: In Progress → Incomplete
Boris B. Zhmurov (bzhmurov) wrote :

I did the following:

--- /usr/share/pam-configs/sss-password.orig 2013-07-03 22:50:40.404765856 +0000
+++ /usr/share/pam-configs/sss-password 2013-07-03 23:03:05.556174607 +0000
@@ -6,4 +6,4 @@
  sufficient pam_sss.so use_authtok
- sufficient pam_sss.so
+ sufficient pam_sss.so forward_pass

and ran pam-auth-update --package. After that I have:
# here are the per-package modules (the "Primary" block)
password sufficient pam_sss.so forward_pass
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

in common-password. And I still can't set password for local users:

~# passwd root
passwd: Authentication token manipulation error
passwd: password unchanged

Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package sssd - 1.10.0-1ubuntu1

sssd (1.10.0-1ubuntu1) saucy; urgency=low

  * Sync from debian unstable git.

sssd (1.10.0-1) unstable; urgency=low

  [ Timo Aaltonen ]
  * New upstream release (Closes: #693054, #705357, #711101)
  * Update the packaging for the new version, thanks Esko Järnfors!
    - Add libsss-idmap0, libsss-idmap-dev packages
    - Add sssd Depends on libsss-idmap0
    - Add /var/lib/sss/mc directory for the new mmap cache
  * Split authentication providers to separate packages and make sssd
    a metapackage.
  * control: Drop libunistring-dev from build-depends and add libglib2.0-dev
    for unicode support.
  * sssd-*.install: Install new manpages.
  * python-sss.install: py-files got moved under SSSDConfig.
  * control, rules: Use default build flags, bump dpkg-dev build-dep to
  * rules: Install the apparmor profile with -m644.
  * python-sss: Add pysss_murmur.so.
  * rules, control, sssd-ad-common.install: PAC responder support.
    - Add libndr-dev, libndr-standard-dev, libsamba-util-dev, samba4-dev,
      libdcerpc-dev to build-depends
    - Add -I/usr/include/samba-4.0 to CFLAGS
  * control: Mark sssd-common as Multi-Arch: foreign.
  * watch: Add a comment about the upstream git tree.
  * Replace perl snippet from libnss-sss.post* with sed, drop perl from
    Depends. (Closes: #686237)
  * compat: Bump compat to 9.
  * rules: Set DEB_HOST_MULTIARCH, drop --libdir and remnants of cdbs.
  * sssd-common.install: Install the support binaries under the multiarch path.
  * rules,sssd-common.postinst: Move generate-config to /usr/share/sssd.
  * rules, sssd-common.install: Use the correct install path for the
    krb5_locator plugin.
  * libnss-sss.postinst: SSSD doesn't handle shadow maps, so don't pretend
    that it would.
  * libsss-sudo*, control: Remove the soname from the library, move .so to
    the libsss-sudo, drop -dev package.
  * rules: Pass --datadir, so the path in autogenerated python files is
    correctly substituted. (LP: #1079938)
  * sssd-krb5-common.dirs: Add krb5 include dir.
  * fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream.
  * libsss-sudo.postrm: Run ldconfig on remove/purge.
  * apparmor-profile: Fix the profile to use the multiarch path for it's
    helper location (LP: #1175317).
  * Add packaging for libsss-nss-idmap0, libsss-nss-idmap-dev,
  * watch: Updated to work with alpha/beta releases.
  * control: Migrate to libnl-3 now that it's supported. (Closes: #688174)
  * sssd-common.{preinst,postrm}: Install the apparmor profile in force-complain
    mode on install, and remove the profile directory on purge (if empty). Also
    migrate from previous setup which installed it as disabled.
    (Closes: #676140)
  * control: Bump policy to 3.9.4, no changes.
  * control: Add libpam-pwquality (>= 1.2.2-1) to libpam-sss depends, which
    makes the password stack work in all cases. (LP: #1159983)
  * control: Drop check from build-depends for now, to work around a linking bug
    in check (#712140) that makes the tests fail on (at least) i386.

  [ Stéphane Graber ]
  * Add postinst/postrm scrip...


Changed in sssd (Ubuntu):
status: Incomplete → Fix Released
Boris B. Zhmurov (bzhmurov) wrote :

Is there any chances that this fix will be available in 12.04?

Timo Aaltonen (tjaalton) wrote :

Yes it will, I'll think of a least embarrassing way to fix it first. Probably will just revert the change there.

Changed in sssd (Ubuntu Precise):
status: New → Triaged
Boris B. Zhmurov (bzhmurov) wrote :

1 month passed. Any news about fix in 12.04 LTS?

Changed in sssd (Ubuntu Precise):
milestone: none → ubuntu-12.04.3
Boris B. Zhmurov (bzhmurov) wrote :

So, almost two months passed. Is there any problem to backport 1 plain-text file to 12.04 LTS?

Timo Aaltonen (tjaalton) wrote :

no problem other than vacation and other commitments

I'll upload a revert later this week

Timo Aaltonen (tjaalton) wrote :

sorry for the delay again, but the revert has been uploaded to precise-proposed now.

Hello Lorenz, or anyone else affected,

Accepted sssd into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sssd/1.8.6-0ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Lorenz (lqb) wrote :

Changing the password was successful for both, local and AD user.

Timo Aaltonen (tjaalton) wrote :

thanks for testing and sorry for the mess & delay..

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.8.6-0ubuntu0.3

sssd (1.8.6-0ubuntu0.3) precise-proposed; urgency=low

  * Revert the pam password stack change, there's no way to fix it
    properly for every use case without adding new dependencies.
    (LP: #1159983)
 -- Timo Aaltonen <email address hidden> Fri, 13 Sep 2013 11:36:12 +0300

Changed in sssd (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers