I'm in the process of testing out sssd on a CentOS 6 install using Active Directory for user authentication via sssd All appears to be working fine - however, when I change a user password using 'passwd' (or at login when the account has expired etc), it appears pam_cracklib is being over-zealous with the new password requirements Active Directory is set up with a password policy - but pam_cracklib (and may be other PAM modules?) have stronger password policies So, I would like passwd to use the AD password requirements - and ignore any pam_cracklib requirements The password settings in the system-auth and password-auth PAM config files are (as generated by authconfig): password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so If I comment out the pam_cracklib line (and remove 'use_authtok' from the other lines) - it appears to do what I want - but doesn't seem 'correct' to me - i.e. what would happen if there were any local users defined on the system? Does anyone have any suggestions on how PAM should be configured to allow password changes to 'honour' the Active Directory password policy requirements - but still impose requirements on non-AD users? Thanks James Pearson