0

My linux box for some reason is not allowing to use the passwd command to change the user's Windows AD password. We can access the box using AD, run sudo using AD password, running id command I can see my AD groups, etc. so it looks fine but the passwd command does not work.

this is my sssd.conf:

[domain/domain.local]
ldap_schema = AD
ldap_search_base = dc=domain,dc=local
ldap_access_filter = (|(memberOf=CN=ops-linux-admin,OU=Linux,OU=Staff,DC=domain,DC=local)(memberOf=CN=all-linux,OU=Linux,OU=Staff,DC=domain,DC=local))
id_provider = ldap
ldap_uri = ldaps://secureldap.domain.local
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/ca-secureldap.crt
cache_credentials = True
enumerate = False
default_shell = /bin/bash
ldap_id_mapping = True
ldap_referrals = False
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_default_bind_dn = CN=linuxbind,OU=Service Accounts,DC=domain,DC=local
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = tX45ZPkNlisqw82lW18rFNnDr
ldap_user_ssh_public_key = sshpublickey
debug_level = 4

access_provider = ldap
sudo_provider = ldap
auth_provider = ldap
autofs_provider = ldap

[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo, ssh
create_homedir = true
homedir_umask = 0077
skel_dir = /etc/skel
domains = domain.local
debug_level = 4

[nss]
filter_groups = root
filter_users = root
debug_level = 4

[pam]
reconnection_retries = 3
offline_credentials_expirations = 0
debug_level = 4

[ssh]
debug_level = 4

This is what I see from the sssd_pam.log:

(Wed Aug 31 13:11:43 2022) [pam] [pam_cmd_chauthtok_prelim] (0x0100): entering pam_cmd_chauthtok_prelim
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): domain: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): user: my_users
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:11:43 2022) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): user: my_user@domain.local
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:11:43 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Wed Aug 31 13:11:43 2022) [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Wed Aug 31 13:12:00 2022) [pam] [pam_cmd_chauthtok] (0x0100): entering pam_cmd_chauthtok
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): domain: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): user: my_user
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:12:00 2022) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): user: my_user@domain.local
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:12:00 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Wed Aug 31 13:12:00 2022) [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.

This is what I see from the sssd_domain.local.log:

(Wed Aug 31 13:11:02 2022) [be[domain.local]] [dp_pam_handler_send] (0x0100): Got request with the following data
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): user: my_user@domain.local
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): tty:
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): ruser:
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): rhost:
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): cli_pid: 532539
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): logon name: not set
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): flags: 0
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_pam_chpass_handler_send] (0x0040): starting password change request for user [my_user@domain.local].
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=domain,DC=local]
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [fo_set_port_status] (0x0100): Marking port 636 of server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [set_server_common_status] (0x0100): Marking server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [simple_bind_send] (0x0100): Executing simple bind as: CN=My User,OU=Operations,OU=Staff,DC=domain,DC=local
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [dp_pam_handler_send] (0x0100): Got request with the following data
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): user: my_user@domain.local
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): tty:
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): ruser:
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): rhost:
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): newauthtok type: 1
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): cli_pid: 532539
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): logon name: not set
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): flags: 0
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_pam_chpass_handler_send] (0x0040): starting password change request for user [my_user@domain.local].
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=domain,DC=local]
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [fo_set_port_status] (0x0100): Marking port 636 of server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [set_server_common_status] (0x0100): Marking server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [simple_bind_send] (0x0100): Executing simple bind as: CN=My User,OU=Operations,OU=Staff,DC=domain,DC=local
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_control_create] (0x0080): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation result: Protocol error(2), 0000203D: LdapErr: DSID-0C090FB2, comment: Unknown extended request OID, data 0, v2580

I'm not sure what I'm missing here. Our AD is a Windows Server 2012 R2

dpkg -l |grep -i sssd

iU  sssd                               2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- metapackage
iU  sssd-ad                            2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- Active Directory back end
iU  sssd-ad-common                     2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- PAC responder
iF  sssd-common                        2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- common files
iU  sssd-ipa                           2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- IPA back end
iU  sssd-krb5                          2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- Kerberos back end
iU  sssd-krb5-common                   2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- Kerberos helpers
iU  sssd-ldap                          2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- LDAP back end
iU  sssd-proxy                         2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- proxy back end
iU  sssd-tools                         2.2.3-3ubuntu0.9                  amd64        System Security Services Daemon -- tools

Any help pls :) Thanks!

the-burgh
  • 1
  • It appears that this is a limitation of 2012. https://www.ateam-oracle.com/post/part-4-of-4-sssd-authentication-known-problems-and-troubleshooting-tips – JG7 Sep 02 '22 at 03:06
  • yeah I saw that one too, but the error seems to be slightly different this DSID-0C090FB2 that is in my case is not the same from that article that has DSID-0C090EE8 so I thought could be something else? Looks like the next domain functional level is 2016 and for that I will need to upgrade my DCs to at least Windows Server 2016 what is going to happen no matter what since 2012 R2 is going to be EoS, so the question is with that 2016 would this be fixed? The article does not say anything about that but we could understand like "yes", right? – the-burgh Sep 02 '22 at 04:16
  • I assume it is fixed in 2016, but I do not have experience to validate this. You’ve only got 1 more year on 2012, so it might be worth going for updating your environment. – JG7 Sep 02 '22 at 17:22

0 Answers0