This sounds like a bug, could you follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, gather logs from the pam and domain sections and post them here? If the password is expired, then pam_sss should send a message to the login manager which the login manager should display.
The logs would at least show if the deamon is sending the message to pam_sss… > On 21 Dec 2017, at 09:39, Johan Vermeulen via FreeIPA-users > <[email protected]> wrote: > > Hello All, > > We run some 200 Centos7/Mate laptops, since last year they authenticate > against freeipa. > Lightdm/Mate are installed using epel repo. > > On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password > expired, users would get the passwd expired field, the "new password" field > en warnings if the made a mistake. > Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly wrong. > Users very often get no warning if a password expired, just an authentication > failure. > Or they get no message at all. > > If at that point you got to tty....and log in you do get the warnings on the > command line. > The log files /var/log/secure also give clear password expired messages, only > the user sees nothing. > > This is a big problem because users cannot login and cannot work without > interventions. > > Many thanks for any help. > > Greetings, J. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
