Which /etc/pam.d/ config file do you need ?
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Mateo Duffour" <[email protected]>
To: "Alexander Bokovoy" <[email protected]>
Cc: "freeipa-users" <[email protected]>
Sent: Wednesday, 23 February, 2022 17:26:49
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Hi, thank you for the quick reply.
We were further investigating the issue.
We were testing with user "usu5" that has its password expired. The log of IdM
server below shows that Samba AD DC is sending "Password has expired" for user
"usu5", thats OK.
So we can suspect that IdM is not behaving as expected, it should prompt a
password expiry to the user and let the user change it, but something is wrong
with our config or scenario because that does not happen.
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has
expired
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not
match expectations
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8
[email protected]
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
received for user [email protected]: 4 (System error)
Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM:
Authentication failure for [email protected] from 10.9.9.8
Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that
shows a login attempt with user "usu6", that is on the same situation as
"usu5".
############
We have done other tests as well, in this case we are logged on IdM server as
user "usu1", which has a password not expired and working properly. But when we
try to change it with "passwd" it also fails.
[[email protected]@idmsrvpru /]$ passwd
Changing password for user [email protected].
Current Password:
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
Log of this test on IdM server:
Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
pam_unix(passwd:chauthtok): user "[email protected]" does not exist in
/etc/passwd
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
pam_sss(passwd:chauthtok): User info message: Password change failed. Server
message: Old password not accepted.
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
pam_sss(passwd:chauthtok): Authentication failed for user
[email protected]: 4 (System error)
Which pam logs do u need ? we have several files apparently.
Thank you guys again and best regards.
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Alexander Bokovoy" <[email protected]>
To: "freeipa-users" <[email protected]>
Cc: "Mateo Duffour" <[email protected]>
Sent: Wednesday, 23 February, 2022 05:14:42
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Hello,
On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote:
Hi,
We currently have an IdM installation with a trust relationship with a
Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user
accounts on IdM. We are having a problem with Samba user acounts that
have its passwords expired.
When we try to login with an ubuntu IdM client with one of those
accounts, it fails and asks again for password. The behaviour we are
expecting is that Ubuntu should ask for a password change.
I think you need to look at SSSD troubleshooting guide and investigate a
bit yourself. Without logs it is impossible to tell what's wrong.
Please see https://sssd.io/troubleshooting/basics.html and
https://sssd.io/troubleshooting/ipa_provider.html for two parts that
would be relevant here.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
