Learn more about these different git repos.
Other Git URLs
Domain section of sssd.conf
[domain/ADTEST] debug_level = 0xFFF0 id_provider = ad ad_server = _srv_ dns_discovery_domain = sssdad.com ad_domain = sssdad.com chpass_provider = ad krb5_canonicalize = False
Try to auth as a user(with "User must change password on next logon")
# ssh -l testuser1 localhost testuser1@localhost's password: Permission denied, please try again. testuser1@localhost's password:
/var/log/sssd/krb5_child.log shows:
(Thu Jul 19 14:08:45 2012) [[sssd[krb5_child[27050]]]] [get_and_save_tgt] (0x0020): 862: [-1765328361][Password has expired] (Thu Jul 19 14:08:45 2012) [[sssd[krb5_child[27050]]]] [tgt_req_child] (0x1000): Password was expired (Thu Jul 19 14:08:45 2012) [[sssd[krb5_child[27050]]]] [tgt_req_child] (0x0020): 1141: [-1765328174][Generic preauthentication failure]
/var/log/secure shows:
Jul 19 14:08:45 dhcp201-207 sshd[27048]: pam_sss(sshd:auth): system info: [Generic preauthentication failure] Jul 19 14:08:45 dhcp201-207 sshd[27048]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=testuser1 Jul 19 14:08:45 dhcp201-207 sshd[27048]: pam_sss(sshd:auth): received for user testuser1: 4 (System error) Jul 19 14:08:47 dhcp201-207 sshd[27048]: Failed password for testuser1 from ::1 port 54887 ssh2
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.9.0 priority: major => blocker rhbz: => 0
milestone: SSSD 1.9.0 => SSSD 1.9.0 RC1
owner: somebody => sgallagh status: new => assigned
Ok, I did some digging today and this appears to be an issue with SSH only. If you try using "login" or "su" to authenticate the user, you are correctly prompted for password-change.
Additionally, this only happens (in my testing) when the user we are trying to log into requires a shell that is not available on the system running the openssh server. From my debugging, it appears that (for reasons unknown), SSH sends garbage in the authtok field of the pam_authenticate() call when the shell is nonexistent. I will be opening a bug against openssh on this.
Kaushik, please check that you have the user's shell installed on the system (or use vetoed_shells and fallback_shell to force it into something you do have) and retest.
proposed_priority: => Undefined
I opened https://bugzilla.redhat.com/show_bug.cgi?id=849241 against openssh in Fedora to address this issue. I'm closing this bug as INVALID. Please reopen it if you can reproduce the issue without an invalid shell in the user identity.
resolution: => invalid status: assigned => closed
Metadata Update from @kaushikub: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.9.0 beta 7
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2472
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.