I'm in the process of testing out sssd on a CentOS 6 install using
Active Directory for user authentication via sssd
All appears to be working fine - however, when I change a user password
using 'passwd' (or at login when the account has expired etc), it
appears pam_cracklib is being over-zealous with the new password
requirements
Active Directory is set up with a password policy - but pam_cracklib
(and may be other PAM modules?) have stronger password policies
So, I would like passwd to use the AD password requirements - and ignore
any pam_cracklib requirements
The password settings in the system-auth and password-auth PAM config
files are (as generated by authconfig):
password requisite pam_cracklib.so try_first_pass retry=3 typepassword
sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
If I comment out the pam_cracklib line (and remove 'use_authtok' from
the other lines) - it appears to do what I want - but doesn't seem
'correct' to me - i.e. what would happen if there were any local users
defined on the system?
Does anyone have any suggestions on how PAM should be configured to
allow password changes to 'honour' the Active Directory password policy
requirements - but still impose requirements on non-AD users?
Thanks
James Pearson
