Open nikigen68 opened 1 week ago
Hi,
according to the logs the password policy indicates that the password is expired and must be renewed. Unfortunately PAM does not trigger the renewal step during authentication but during access control and I haven't found anything related in the logs. Can you check you PAM configuration for sshd
and check if pam_sss,so
is called in the account
block?
bye, Sumit
Hi Sumit,
It seems pam_sss is called from account block: account [default=bad success=ok user_unknown=ignore] /lib64/security/pam_sss.so
Attached configuration files: sshd sssd.conf nsswitch.conf ldap.conf common-password
Best Regards, Nikola
Hi,
thanks for the config files, pam_sss.so
is missing in common-password
. I'm not completely sure is this will already help, because I still wonder why there are no messages from the access control step in the SSSD debug logs.
bye, Sumit
Hi Sumit,
We have used this command to collect debug logs: /usr/sbin/sssd -i -d9
In which way should common-password be updated with pam_sss.so? Should it be something like: password sufficient pam_sss.so use_authtok
Regards, Nikola
Hi Sumit,
We have used this command to collect debug logs: /usr/sbin/sssd -i -d9
Hi,
yes, this should cover the access control step as well.
In which way should common-password be updated with pam_sss.so? Should it be something like: password sufficient pam_sss.so use_authtok
Yes, but you might have to modify the pam_unix
line as well to properly skip pam_sss
and pam_deny
.
bye, Sumit
Regards, Nikola
In case invalidCredentials bindResponse is recevied for wrong password then the login is rejected as expected. Please let me know what would be the proper way to modify common-password.
In case invalidCredentials bindResponse is recevied for wrong password then the login is rejected as expected. Please let me know what would be the proper way to modify common-password.
Hi,
yes, because in this case there will be no reply from the password policy control that the password is expired.
bye, Sumit
As subject suggests sssd-ldap client allows user sdi3pwd5minn even though server sends invalidCredentials in bindResponse. Why it is not rejected?
sssd_debug.log