Hello Jakub,

thanks for helping me out.

It works in the console. when an expired user logs in via ctl-alt-f.... he
gets all the warnings.
I will try to increase pam verbosity and report back.

Greetings, J.

2018-01-08 14:59 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:

> On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote:
> > Hello All,
> >
> > I "ve set up a new machine for this test and increased the log levels to
> 6.
> > Config for Freeipa-client is done with ipa-client-install, I use chrony
> in
> > stead of ntp and Selinux is enabled.
> >
> > When user logs in /var/log/secure indicates:
> >
> > [root@node1 ~]# tail -f /var/log/secure
> > Jan  5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user
> > jvanvlasselaer: 7 (Authentication failure)
> > Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication
> > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer
> > Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user
> > jvanvlasselaer: 12 (Authentication token is no longer valid; new one
> > required)
> > Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info
> message:
> > Password expired. Change your password now.
> > Jan  5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user
> > "jvanvlasselaer" does not exist in /etc/passwd
> >
> > But the lightdm gui screen indicates nothing.
> >
>
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200):
> > received: [12 (Authenticatietoken is niet langer geldig; nieuwe is
> > vereist)][network.cawdekempen.be]
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> > called with result [12]: Authenticatietoken is niet langer geldig; nieuwe
> > is vereist.
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100):
> > [pam_response_filter] not available, not fatal.
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39
>
> Here I at least see that the message did reach the sssd_pam process and I
> don't see anything that would indicate that the message was filtered out
> (OTOH, the debugging is not stellar in this area of code..)
>
> I've never used lightdm, did you maybe test with some other login
> method, like login to the console or su from another non-root user?
>
> Does it help to increase pam_verbosity in the [pam] section (see man
> sssd.conf for a description) ?
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to