[Freeipa-users] Password expired is not requested with Ubuntu clients

[Carlos Lopez via FreeIPA-users]

Good morning,

I have configured some Ubuntu clientes to authenticate via Kerberos against my 
RHEL9 IdM server. Everything works correctly: clients are authenticated, etc.

The problem comes when a user's password has expired. In the IdM server logs it 
is clear that the user must change the password:

2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: REQUIRED 
PWCHANGE: us...@mydom.org for krbtgt/mydom....@mydom.org, Password has expired
2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: 
NEEDED_PREAUTH: us...@mydom.org for kadmin/chang...@mydom.org, Additional 
pre-authentication required
2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: ISSUE: 
authtime 1713515900, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, 
us...@mydom.org for kadmin/chang...@mydom.org

But when accessing to Ubuntu client via ssh, it never prompts to change the 
password and you can log in.

My sssd's config in Ubuntu client is:

[sssd]
config_file_version = 2
services = pam
domains = mydom.org

[pam]
pam_pwd_expiration_warning = 2

[domain/mydom.org]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
chpass_provider = krb5
krb5_server = rhelidmsrv01.mydom.org
krb5_kpasswd = rhelidmsrv01.mydom.org
krb5_realm = mydom.org
krb5_ccname_template = KEYRING:persistent:%U
krb5_validate = true
cache_credentials = true

What could be the problem?

Best regards,
C. L. Martinez
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue