Have a fairly simple setup of one AD server with various linux hosts. We attached the linux hosts to our domain by using:
realm discover domain.example.com
realm join domain.example.com -U user.adm
Our /etc/sssd/sssd.conf looks like:
[sssd]
domains = domain.example.com
config_file_version = 2
services = nss, pam
[domain/domain.example.com]
ad_domain = domain.example.com
krb5_realm = DOMAIN.EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = false
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = linuxaccess@domain.example.com
From here we can login as AD users that are a part of the linuxaccess group. I attempted to reset a password but get:
[username.lin@hostname ~] passwd
Current Password:
New password:
Retype new password:
Password change failed. Server message: Access denied
passwd: Authentication token manipulation error
/var/log/secure shows:
Oct 12 14:39:48 computer passwd: pam_unix(passwd:chauthtok): user "username.lin" does not exist in /etc/passwd
Oct 12 14:40:01 computer passwd: pam_unix(passwd:chauthtok): user "username.lin" does not exist in /etc/passwd
Oct 12 14:40:01 computer passwd: pam_sss(passwd:chauthtok): Password change failed for user username.lin: 20 (Authentication token manipulation error)
Thoughts on why changing passwords do not appear to be supported or what the misconfiguration could be? Guessing something in pam.d but not confident.
I tried to reproduce your scenario and I am also getting the same error when attempting password change for AD users.
the default group policy has a "Minimum Password Age" which will prevent you from changing the password for 24 hours after user creation / previous password change.
Solution is to change the GPO to zero days and do a gpupdate on domain controller - or wait for 24 hours.
The GPO security settings on your Active Directory server were most likely default or possibly customized by the AD Administrator.
Note: Minimum password age: Set this value to 1 day. Microsoft recommends to not set this to 0, because it would allow immediate password changes. Users can change the password 24 times the same day and get back to the old password.
Reference: https://www.pcwdld.com/domain-password-policy-how-to-configure#wbounce-modal