Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via FreeIPA-users: > Which /etc/pam.d/ config file do you need ?
Hi, from the logs below it looks like you are using ssh to log in, so it would be /etc/pam.d/sshd and all the files which might be referenced in that file. bye, Sumit > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" <mduff...@fnr.gub.uy> > To: "Alexander Bokovoy" <aboko...@redhat.com> > Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > Sent: Wednesday, 23 February, 2022 17:26:49 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hi, thank you for the quick reply. > > We were further investigating the issue. > > We were testing with user "usu5" that has its password expired. The log of > IdM server below shows that Samba AD DC is sending "Password has expired" for > user "usu5", thats OK. > So we can suspect that IdM is not behaving as expected, it should prompt a > password expiry to the user and let the user change it, but something is > wrong with our config or scenario because that does not happen. > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has > expired > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 > user=u...@adtest.fnr.gub.uy > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > received for user u...@adtest.fnr.gub.uy: 4 (System error) > Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: > Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 > > Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that > shows a login attempt with user "usu6", that is on the same situation as > "usu5". > > ############ > > We have done other tests as well, in this case we are logged on IdM server as > user "usu1", which has a password not expired and working properly. But when > we try to change it with "passwd" it also fails. > > [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd > Changing password for user u...@adtest.fnr.gub.uy. > Current Password: > Password change failed. Server message: Old password not accepted. > passwd: Authentication token manipulation error > > Log of this test on IdM server: > > Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in > /etc/passwd > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): User info message: Password change failed. Server > message: Old password not accepted. > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): Authentication failed for user > u...@adtest.fnr.gub.uy: 4 (System error) > > Which pam logs do u need ? we have several files apparently. > > > Thank you guys again and best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Alexander Bokovoy" <aboko...@redhat.com> > To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > Cc: "Mateo Duffour" <mduff...@fnr.gub.uy> > Sent: Wednesday, 23 February, 2022 05:14:42 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hello, > > On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: > > > Hi, > > We currently have an IdM installation with a trust relationship with a > Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user > accounts on IdM. We are having a problem with Samba user acounts that > have its passwords expired. > > When we try to login with an ubuntu IdM client with one of those > accounts, it fails and asks again for password. The behaviour we are > expecting is that Ubuntu should ask for a password change. > > > > I think you need to look at SSSD troubleshooting guide and investigate a > bit yourself. Without logs it is impossible to tell what's wrong. > > Please see https://sssd.io/troubleshooting/basics.html and > https://sssd.io/troubleshooting/ipa_provider.html for two parts that > would be relevant here. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure