[regression-update] Can't change local users password

In my opinion it is more important to change the local users password.
The AD password could be changed with kpasswd.

I'll look into it.

Status changed to 'Confirmed' because the bug affects multiple users.

Some sort of progress.. so there probably isn't any clean way out of this other than libpam-sss depending on libpam-cracklib/libpam-pwquality, which would force having it on top of the password stack. Then we could drop the separate pam-auth-config..

Ahem, one obvious solution would be to add 'forward_pass' to Password-Initial on sss-password, could you give it a go? Tried it here and seems to work for both local and remote users, with or without pam_cracklib.

For saucy though I'll probably add the depends to libpam-pwquality and drop the Priority.

I did the following:

--- /usr/share/pam-configs/sss-password.orig 2013-07-03 22:50:40.404765856 +0000
+++ /usr/share/pam-configs/sss-password 2013-07-03 23:03:05.556174607 +0000
@@ -6,4 +6,4 @@
 Password:
  sufficient pam_sss.so use_authtok
 Password-Initial:
- sufficient pam_sss.so
+ sufficient pam_sss.so forward_pass

and ran pam-auth-update --package. After that I have:
# here are the per-package modules (the "Primary" block)
password sufficient pam_sss.so forward_pass
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

in common-password. And I still can't set password for local users:

~# passwd root
passwd: Authentication token manipulation error
passwd: password unchanged

This bug was fixed in the package sssd - 1.10.0-1ubuntu1

---------------
sssd (1.10.0-1ubuntu1) saucy; urgency=low

  * Sync from debian unstable git.

sssd (1.10.0-1) unstable; urgency=low

  [ Timo Aaltonen ]
  * New upstream release (Closes: #693054, #705357, #711101)
  * Update the packaging for the new version, thanks Esko Järnfors!
    - Add libsss-idmap0, libsss-idmap-dev packages
    - Add sssd Depends on libsss-idmap0
    - Add /var/lib/sss/mc directory for the new mmap cache
  * Split authentication providers to separate packages and make sssd
    a metapackage.
  * control: Drop libunistring-dev from build-depends and add libglib2.0-dev
    for unicode support.
  * sssd-*.install: Install new manpages.
  * python-sss.install: py-files got moved under SSSDConfig.
  * control, rules: Use default build flags, bump dpkg-dev build-dep to
    1.16.1~.
  * rules: Install the apparmor profile with -m644.
  * python-sss: Add pysss_murmur.so.
  * rules, control, sssd-ad-common.install: PAC responder support.
    - Add libndr-dev, libndr-standard-dev, libsamba-util-dev, samba4-dev,
      libdcerpc-dev to build-depends
    - Add -I/usr/include/samba-4.0 to CFLAGS
  * control: Mark sssd-common as Multi-Arch: foreign.
  * watch: Add a comment about the upstream git tree.
  * Replace perl snippet from libnss-sss.post* with sed, drop perl from
    Depends. (Closes: #686237)
  * compat: Bump compat to 9.
  * rules: Set DEB_HOST_MULTIARCH, drop --libdir and remnants of cdbs.
  * sssd-common.install: Install the support binaries under the multiarch path.
  * rules,sssd-common.postinst: Move generate-config to /usr/share/sssd.
  * rules, sssd-common.install: Use the correct install path for the
    krb5_locator plugin.
  * libnss-sss.postinst: SSSD doesn't handle shadow maps, so don't pretend
    that it would.
  * libsss-sudo*, control: Remove the soname from the library, move .so to
    the libsss-sudo, drop -dev package.
  * rules: Pass --datadir, so the path in autogenerated python files is
    correctly substituted. (LP: #1079938)
  * sssd-krb5-common.dirs: Add krb5 include dir.
  * fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream.
  * libsss-sudo.postrm: Run ldconfig on remove/purge.
  * apparmor-profile: Fix the profile to use the multiarch path for it's
    helper location (LP: #1175317).
  * Add packaging for libsss-nss-idmap0, libsss-nss-idmap-dev,
    python-libsss-nss-idmap.
  * watch: Updated to work with alpha/beta releases.
  * control: Migrate to libnl-3 now that it's supported. (Closes: #688174)
  * sssd-common.{preinst,postrm}: Install the apparmor profile in force-complain
    mode on install, and remove the profile directory on purge (if empty). Also
    migrate from previous setup which installed it as disabled.
    (Closes: #676140)
  * control: Bump policy to 3.9.4, no changes.
  * control: Add libpam-pwquality (>= 1.2.2-1) to libpam-sss depends, which
    makes the password stack work in all cases. (LP: #1159983)
  * control: Drop check from build-depends for now, to work around a linking bug
    in check (#712140) that makes the tests fail on (at least) i386.

  [ Stéphane Graber ]
  * Add postinst/postrm scrip...

Is there any chances that this fix will be available in 12.04?

Yes it will, I'll think of a least embarrassing way to fix it first. Probably will just revert the change there.

1 month passed. Any news about fix in 12.04 LTS?

So, almost two months passed. Is there any problem to backport 1 plain-text file to 12.04 LTS?

no problem other than vacation and other commitments

I'll upload a revert later this week

sorry for the delay again, but the revert has been uploaded to precise-proposed now.

Hello Lorenz, or anyone else affected,

Accepted sssd into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sssd/1.8.6-0ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changing the password was successful for both, local and AD user.

thanks for testing and sorry for the mess & delay..

This bug was fixed in the package sssd - 1.8.6-0ubuntu0.3

---------------
sssd (1.8.6-0ubuntu0.3) precise-proposed; urgency=low

  * Revert the pam password stack change, there's no way to fix it
    properly for every use case without adding new dependencies.
    (LP: #1159983)
 -- Timo Aaltonen <email address hidden> Fri, 13 Sep 2013 11:36:12 +0300

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.