Which /etc/pam.d/ config file do you need ? 

Lic. Mateo Duffour 
Unidad Informática 
        2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |    ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Mateo Duffour" <mduff...@fnr.gub.uy> 
To: "Alexander Bokovoy" <aboko...@redhat.com> 
Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
Sent: Wednesday, 23 February, 2022 17:26:49 
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hi, thank you for the quick reply. 

We were further investigating the issue. 

We were testing with user "usu5" that has its password expired. The log of IdM 
server below shows that Samba AD DC is sending "Password has expired" for user 
"usu5", thats OK. 
So we can suspect that IdM is not behaving as expected, it should prompt a 
password expiry to the user and let the user change it, but something is wrong 
with our config or scenario because that does not happen. 

Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has 
expired 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not 
match expectations 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 
user=u...@adtest.fnr.gub.uy 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
received for user u...@adtest.fnr.gub.uy: 4 (System error) 
Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: 
Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 

Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that 
shows a login attempt with user "usu6", that is on the same situation as 
"usu5". 

############ 

We have done other tests as well, in this case we are logged on IdM server as 
user "usu1", which has a password not expired and working properly. But when we 
try to change it with "passwd" it also fails. 

[u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd 
Changing password for user u...@adtest.fnr.gub.uy. 
Current Password: 
Password change failed. Server message: Old password not accepted. 
passwd: Authentication token manipulation error 

Log of this test on IdM server: 

Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in 
/etc/passwd 
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_sss(passwd:chauthtok): User info message: Password change failed. Server 
message: Old password not accepted. 
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_sss(passwd:chauthtok): Authentication failed for user 
u...@adtest.fnr.gub.uy: 4 (System error) 

Which pam logs do u need ? we have several files apparently. 


Thank you guys again and best regards. 

Lic. Mateo Duffour 
Unidad Informática 
        2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |    ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Alexander Bokovoy" <aboko...@redhat.com> 
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
Cc: "Mateo Duffour" <mduff...@fnr.gub.uy> 
Sent: Wednesday, 23 February, 2022 05:14:42 
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hello, 

On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: 


Hi, 

We currently have an IdM installation with a trust relationship with a 
Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user 
accounts on IdM. We are having a problem with Samba user acounts that 
have its passwords expired. 

When we try to login with an ubuntu IdM client with one of those 
accounts, it fails and asks again for password. The behaviour we are 
expecting is that Ubuntu should ask for a password change. 



I think you need to look at SSSD troubleshooting guide and investigate a 
bit yourself. Without logs it is impossible to tell what's wrong. 

Please see https://sssd.io/troubleshooting/basics.html and 
https://sssd.io/troubleshooting/ipa_provider.html for two parts that 
would be relevant here. 

-- 
/ Alexander Bokovoy 
Sr. Principal Software Engineer 
Security / Identity Management Engineering 
Red Hat Limited, Finland 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to