Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via 
FreeIPA-users:
> Which /etc/pam.d/ config file do you need ? 

Hi,

from the logs below it looks like you are using ssh to log in, so it
would be /etc/pam.d/sshd and all the files which might be referenced in
that file.

bye,
Sumit

> 
> Lic. Mateo Duffour 
> Unidad Informática 
>       2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |    ] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Mateo Duffour" <mduff...@fnr.gub.uy> 
> To: "Alexander Bokovoy" <aboko...@redhat.com> 
> Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
> Sent: Wednesday, 23 February, 2022 17:26:49 
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
> User accounts with passwords expired 
> 
> Hi, thank you for the quick reply. 
> 
> We were further investigating the issue. 
> 
> We were testing with user "usu5" that has its password expired. The log of 
> IdM server below shows that Samba AD DC is sending "Password has expired" for 
> user "usu5", thats OK. 
> So we can suspect that IdM is not behaving as expected, it should prompt a 
> password expiry to the user and let the user change it, but something is 
> wrong with our config or scenario because that does not happen. 
> 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has 
> expired 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did 
> not match expectations 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 
> user=u...@adtest.fnr.gub.uy 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
> received for user u...@adtest.fnr.gub.uy: 4 (System error) 
> Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: 
> Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 
> 
> Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that 
> shows a login attempt with user "usu6", that is on the same situation as 
> "usu5". 
> 
> ############ 
> 
> We have done other tests as well, in this case we are logged on IdM server as 
> user "usu1", which has a password not expired and working properly. But when 
> we try to change it with "passwd" it also fails. 
> 
> [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd 
> Changing password for user u...@adtest.fnr.gub.uy. 
> Current Password: 
> Password change failed. Server message: Old password not accepted. 
> passwd: Authentication token manipulation error 
> 
> Log of this test on IdM server: 
> 
> Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
> pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in 
> /etc/passwd 
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
> pam_sss(passwd:chauthtok): User info message: Password change failed. Server 
> message: Old password not accepted. 
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
> pam_sss(passwd:chauthtok): Authentication failed for user 
> u...@adtest.fnr.gub.uy: 4 (System error) 
> 
> Which pam logs do u need ? we have several files apparently. 
> 
> 
> Thank you guys again and best regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>       2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |    ] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Alexander Bokovoy" <aboko...@redhat.com> 
> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
> Cc: "Mateo Duffour" <mduff...@fnr.gub.uy> 
> Sent: Wednesday, 23 February, 2022 05:14:42 
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
> User accounts with passwords expired 
> 
> Hello, 
> 
> On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: 
> 
> 
> Hi, 
> 
> We currently have an IdM installation with a trust relationship with a 
> Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user 
> accounts on IdM. We are having a problem with Samba user acounts that 
> have its passwords expired. 
> 
> When we try to login with an ubuntu IdM client with one of those 
> accounts, it fails and asks again for password. The behaviour we are 
> expecting is that Ubuntu should ask for a password change. 
> 
> 
> 
> I think you need to look at SSSD troubleshooting guide and investigate a 
> bit yourself. Without logs it is impossible to tell what's wrong. 
> 
> Please see https://sssd.io/troubleshooting/basics.html and 
> https://sssd.io/troubleshooting/ipa_provider.html for two parts that 
> would be relevant here. 
> 
> -- 
> / Alexander Bokovoy 
> Sr. Principal Software Engineer 
> Security / Identity Management Engineering 
> Red Hat Limited, Finland 
> 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to