Active Directory users unable to change passwords [SSSD]
Solution 1
The password complexity message is a bit generic, it just means that SSSD attempted to change the password, but for one reason or another the AD DC wouldn't let it. We use a generic message, because the password complexity is the most common one. If you enable debug_level=10 in the domain section, and then run the password change, the krb5_child.log file under /var/log/sssd would tell you the real reason. Don't forget to reset the debug_level back after you're done with the test, because debug_level=10 is quite verbose.
Solution 2
I know this question is old, but I figured I would offer up an explanation as to why you received the error "Password change failed. Server message: Please make sure the password meets the complexity constraints."
The GPO security settings on your Active Directory server were most likely default or possibly customized by the AD Administrator.
If you look under the "Default Domain Policy" settings, you will see something like: ad_default_domain_policy
You hit one of the constraints within this policy while attempting to change your password. This is why is started to work after waiting a period of time.
Related videos on Youtube
cypher
Updated on September 18, 2022Comments
-
cypher over 1 year
I've set up an Ubuntu 16.04 system to join a AD domain following the instruction set here.
I can login with AD users and everything is working correctly there, however AD users are unable to change their passwords either with
passwd
orkpasswd
. I'm not sure what I might not have configured correctly.Here are my configuration files:
== /etc/pam.d/common-password ==
password sufficient pam_sss.so password required pam_cracklib.so retry=6 minlen=9 difok=1 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512 password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so
== /etc/sssd/sssd.conf ==
[sssd] domains = my.domain.com config_file_version = 2 services = nss, pam [domain/my.domain.com] ad_domain = my.domain.com krb5_realm = my.domain.com realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad auth_provider = ad chpass_provider = ad ldap_schema = ad dyndns_update = true dyndsn_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600 krb5_use_enterprise_principal = false
Any help would be greatly appreciated. I've been googling for several hours no with no luck...
EDIT:
Here's what I'm seeing in the terminal:cypher@ubuVB2:~$ passwd Current Password: New Password: Reenter new Password: Password change failed. Server message: Please make sure the password meets the complexity constraints. New password: Retype new password: passwd: Authentication token manipulation error passwd: password unchanged
I'm certain that the password I'm trying to set meets the complexity requirements, so this is rather odd...
-
cypher over 6 yearsThanks for the response. The issue seems to have fixed itself somehow, as I don't think I did anything to fix it.