Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via FreeIPA-users: > Which /etc/pam.d/ config file do you need ?
Hi, from the logs below it looks like you are using ssh to log in, so it would be /etc/pam.d/sshd and all the files which might be referenced in that file. bye, Sumit > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" <[email protected]> > To: "Alexander Bokovoy" <[email protected]> > Cc: "freeipa-users" <[email protected]> > Sent: Wednesday, 23 February, 2022 17:26:49 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hi, thank you for the quick reply. > > We were further investigating the issue. > > We were testing with user "usu5" that has its password expired. The log of > IdM server below shows that Samba AD DC is sending "Password has expired" for > user "usu5", thats OK. > So we can suspect that IdM is not behaving as expected, it should prompt a > password expiry to the user and let the user change it, but something is > wrong with our config or scenario because that does not happen. > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has > expired > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 > [email protected] > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > received for user [email protected]: 4 (System error) > Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: > Authentication failure for [email protected] from 10.9.9.8 > > Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that > shows a login attempt with user "usu6", that is on the same situation as > "usu5". > > ############ > > We have done other tests as well, in this case we are logged on IdM server as > user "usu1", which has a password not expired and working properly. But when > we try to change it with "passwd" it also fails. > > [[email protected]@idmsrvpru /]$ passwd > Changing password for user [email protected]. > Current Password: > Password change failed. Server message: Old password not accepted. > passwd: Authentication token manipulation error > > Log of this test on IdM server: > > Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_unix(passwd:chauthtok): user "[email protected]" does not exist in > /etc/passwd > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): User info message: Password change failed. Server > message: Old password not accepted. > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): Authentication failed for user > [email protected]: 4 (System error) > > Which pam logs do u need ? we have several files apparently. > > > Thank you guys again and best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Alexander Bokovoy" <[email protected]> > To: "freeipa-users" <[email protected]> > Cc: "Mateo Duffour" <[email protected]> > Sent: Wednesday, 23 February, 2022 05:14:42 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hello, > > On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: > > > Hi, > > We currently have an IdM installation with a trust relationship with a > Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user > accounts on IdM. We are having a problem with Samba user acounts that > have its passwords expired. > > When we try to login with an ubuntu IdM client with one of those > accounts, it fails and asks again for password. The behaviour we are > expecting is that Ubuntu should ask for a password change. > > > > I think you need to look at SSSD troubleshooting guide and investigate a > bit yourself. Without logs it is impossible to tell what's wrong. > > Please see https://sssd.io/troubleshooting/basics.html and > https://sssd.io/troubleshooting/ipa_provider.html for two parts that > would be relevant here. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
