Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1089250
Description of problem: User with expired shadow policy is not prompted for password change when shadowLastChange is 0 Version-Release number of selected component (if applicable): sssd-1.11.2-65.el7 How reproducible: Always Steps to Reproduce: 1. Disable any server side password policies. 2. Set ldap_pwd_policy = shadow in sssd.conf [domain/LDAP] debug_level = 0xFFF0 id_provider = ldap ldap_uri = ldap://<ldapserver> ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com ldap_pwd_policy = shadow 3. Set shadowLastChange to 0 in the user ldap attribute. # ldapsearch -x -LLL -h <ldapserver> -b "dc=example,dc=com" uid=shadowuser1 dn: uid=shadowuser1,ou=People,dc=example,dc=com uid: shadowuser1 cn: shadowuser1 objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 0 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 9901 gidNumber: 9901 homeDirectory: /home/shadowuser1 4. Auth as the user # ssh -l shadowuser1 localhost shadowuser1@localhost's password: Permission denied, please try again. shadowuser1@localhost's password: Actual results: Password change prompt does not appear. /var/log/sssd/sssd_LDAP.log shows: (Fri Apr 18 06:35:22 2014) [sssd[be[LDAP]]] [find_password_expiration_attributes] (0x4000): Found shadow password expiration attributes. .. (Fri Apr 18 06:35:22 2014) [sssd[be[LDAP]]] [check_pwexpire_shadow] (0x0100): Last change day is not set, new password needed. (Fri Apr 18 06:35:22 2014) [sssd[be[LDAP]]] [sdap_pam_auth_done] (0x0020): check_pwexpire_shadow failed. /var/log/secure shows: Apr 18 06:35:22 beast sshd[18105]: pam_sss(sshd:auth): received for user shadowuser1: 4 (System error) Expected results: Password change prompt should appear. Additional info: With server side password policies enabled, the following is seen: # ssh -l shadowuser1 localhost shadowuser1@localhost's password: Your password has expired. You have 1 grace login(s) remaining. [shadowuser1@ibm-z10-51 ~]$
Do not disable server password policies. Relying only on shadow is not secure and thus not a preferred method.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => milestone: NEEDS_TRIAGE => SSSD Deferred review: True => 0 selected: => testsupdated: => 0
Fields changed
milestone: SSSD Deferred => SSSD 1.12.1
Requested by downstream for inclusion sooner.
milestone: SSSD 1.12.1 => SSSD 1.11.7 owner: somebody => jhrozek status: new => assigned
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.11.7
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3365
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.