Which /etc/pam.d/ config file do you need ? Lic. Mateo Duffour Unidad Informática 2901.40.91
[ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" <mduff...@fnr.gub.uy> To: "Alexander Bokovoy" <aboko...@redhat.com> Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Sent: Wednesday, 23 February, 2022 17:26:49 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, thank you for the quick reply. We were further investigating the issue. We were testing with user "usu5" that has its password expired. The log of IdM server below shows that Samba AD DC is sending "Password has expired" for user "usu5", thats OK. So we can suspect that IdM is not behaving as expected, it should prompt a password expiry to the user and let the user change it, but something is wrong with our config or scenario because that does not happen. Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has expired Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not match expectations Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 user=u...@adtest.fnr.gub.uy Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): received for user u...@adtest.fnr.gub.uy: 4 (System error) Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that shows a login attempt with user "usu6", that is on the same situation as "usu5". ############ We have done other tests as well, in this case we are logged on IdM server as user "usu1", which has a password not expired and working properly. But when we try to change it with "passwd" it also fails. [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd Changing password for user u...@adtest.fnr.gub.uy. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Log of this test on IdM server: Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in /etc/passwd Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted. Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): Authentication failed for user u...@adtest.fnr.gub.uy: 4 (System error) Which pam logs do u need ? we have several files apparently. Thank you guys again and best regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" <aboko...@redhat.com> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Cc: "Mateo Duffour" <mduff...@fnr.gub.uy> Sent: Wednesday, 23 February, 2022 05:14:42 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hello, On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: Hi, We currently have an IdM installation with a trust relationship with a Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on IdM. We are having a problem with Samba user acounts that have its passwords expired. When we try to login with an ubuntu IdM client with one of those accounts, it fails and asks again for password. The behaviour we are expecting is that Ubuntu should ask for a password change. I think you need to look at SSSD troubleshooting guide and investigate a bit yourself. Without logs it is impossible to tell what's wrong. Please see https://sssd.io/troubleshooting/basics.html and https://sssd.io/troubleshooting/ipa_provider.html for two parts that would be relevant here. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure