Kerberos Krb5: "Account Locked" Warning Message on Login Screen

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.

https://sssd.io

GNU General Public License v3.0

604 stars 247 forks source link

Kerberos Krb5: "Account Locked" Warning Message on Login Screen #5219

Open manofftoday opened 4 years ago

manofftoday commented 4 years ago

Hi there,

We are migrating from pam to sssd. We have a OpenLDAP and Kerberos infrastructure. Kerberos is the service used to authenticate the users and we use kerberos password policies to determine the account lockout. LDAP is using saslauthd.

Actually, with pam_krb5.so we receive a message when an account is locked due to exceed the maximum failure attempts. Although we are getting all the messages with sssd (expiration messages, change passwords messages...) we are not getting a message for the locked accounts.

I'm afraid maybe this function is not implemented?

Thank you so much.

Kind Regards.

sumit-bose commented 4 years ago

Hi,

you are right the KDC error code KRB5KDC_ERR_CLIENT_REVOKED, which is send if the account is locked, is just handled as authentication error without a dedicated message. But the fix might be as easy as

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a1c0b36..207c010 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
     case ERR_ACCOUNT_LOCKED:
         state->pam_status = PAM_PERM_DENIED;
         state->dp_err = DP_ERR_OK;
+        state->pd->account_locked = true;
         ret = EOK;
         goto done;

and

pam_account_locked_message = "Account Locked"

should be added to the [pam] section in sssd.conf.

Can you try the patch yourself or shall I try to prepare a test build. In the latter case please let me know which platform are you using and which is the current package version of SSSD you are using.

bye, Sumit

manofftoday commented 4 years ago

Thank you so much for your quick reply. I will discuss with the team if we can go with a custom test build with that piece of code. But due to the nature of the project I'am, I'm afraid they won't let us use a custom build.

Anyway, thank you a lot since you also asked me my doubt about if this was already implemented :) And of course I will try to test this in my own lab environment.

Have a nice day.

joakim-tjernlund commented 4 years ago

@manofftoday , did the above patch work?

andreboscatto commented 1 year ago

@manofftoday we are willing to go ahead and close this request, do you have any news since?

joakim-tjernlund commented 1 year ago

I added the above patch for us and it works.

andreboscatto commented 1 year ago

Thanks for the feedback @joakim-tjernlund :) I'll switch the labels and find the next steps to incorporate this patch as well. I'm not sure if we need to add/change any tests we currently have under SSSD, to take into account this new behavior and make sure it doesn't break in the future.

@sumit-bose @pbrezina @alexey-tikhonov can you please assist here?

sumit-bose commented 1 year ago

Hi,

I agree, the fix can be used but it looks like tests are missing at least in SSSD upstream. Maybe the IPA team has some test which include locked principals?

bye, Sumit