Active Directory users unable to change passwords [SSSD]

password active-directory sssd
7,095

Solution 1

The password complexity message is a bit generic, it just means that SSSD attempted to change the password, but for one reason or another the AD DC wouldn't let it. We use a generic message, because the password complexity is the most common one. If you enable debug_level=10 in the domain section, and then run the password change, the krb5_child.log file under /var/log/sssd would tell you the real reason. Don't forget to reset the debug_level back after you're done with the test, because debug_level=10 is quite verbose.

Solution 2

I know this question is old, but I figured I would offer up an explanation as to why you received the error "Password change failed. Server message: Please make sure the password meets the complexity constraints."

The GPO security settings on your Active Directory server were most likely default or possibly customized by the AD Administrator.

If you look under the "Default Domain Policy" settings, you will see something like: ad_default_domain_policy

You hit one of the constraints within this policy while attempting to change your password. This is why is started to work after waiting a period of time.

Share:
7,095

Related videos on Youtube

cypher
Author by

cypher

Updated on September 18, 2022

Comments

  • cypher
    cypher over 1 year

    I've set up an Ubuntu 16.04 system to join a AD domain following the instruction set here.

    I can login with AD users and everything is working correctly there, however AD users are unable to change their passwords either with passwd or kpasswd. I'm not sure what I might not have configured correctly.

    Here are my configuration files:

    == /etc/pam.d/common-password ==

    password        sufficient                      pam_sss.so
password        required                        pam_cracklib.so retry=6 minlen=9 difok=1 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password        [success=1 default=ignore]      pam_unix.so obscure try_first_pass sha512
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

    == /etc/sssd/sssd.conf ==

    [sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam

[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = my.domain.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad

auth_provider = ad
chpass_provider = ad
ldap_schema = ad
dyndns_update = true
dyndsn_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
krb5_use_enterprise_principal = false

    Any help would be greatly appreciated. I've been googling for several hours no with no luck...

    EDIT:
    Here's what I'm seeing in the terminal: 

    cypher@ubuVB2:~$ passwd
Current Password: 
New Password: 
Reenter new Password: 
Password change failed. Server message: Please make sure the password meets the complexity constraints.
New password: 
Retype new password: 
passwd: Authentication token manipulation error
passwd: password unchanged

    I'm certain that the password I'm trying to set meets the complexity requirements, so this is rather odd...

  • cypher
    cypher over 6 years
    Thanks for the response. The issue seems to have fixed itself somehow, as I don't think I did anything to fix it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Join Redhat 7 without prompting the password
Make sssd respect Acctive Directory nested groups
Edit Sudoers file to allow sudo rights to a AD domain group
Allow AD Groups to SUDO
How do I clear a user's cached Active Directory password on CentOS 7?
SSH login using SSSD (Windows Server 2016)
Domain account keeps getting locked out
Is there a way to reset the password for a list of Active Directory users en-mass?
Active Directory: Track old password changes and expiry dates?
Status of reversible encryption password