Am Fri, Apr 19, 2024 at 08:56:36AM +0000 schrieb Carlos Lopez via FreeIPA-users:
> Good morning,
>
> I have configured some Ubuntu clientes to authenticate via Kerberos against
> my RHEL9 IdM server. Everything works correctly: clients are authenticated,
> etc.
>
> The problem comes when a user's password has expired. In the IdM server logs
> it is clear that the user must change the password:
>
> 2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8
> etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: REQUIRED
> PWCHANGE: [email protected] for krbtgt/[email protected], Password has expired
> 2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd
> 13
> 2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8
> etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14:
> NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional
> pre-authentication required
> 2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd
> 13
> 2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8
> etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: ISSUE:
> authtime 1713515900, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)},
> [email protected] for kadmin/[email protected]
>
> But when accessing to Ubuntu client via ssh, it never prompts to change the
> password and you can log in.
Hi,
can you share your PAM configuration for the sshd service. I'm asking
because the change of expired passwords in handled in the 'account'
section and I guess with your configuration (local users with
authentication by SSSD) pam_sss.so is not called for local users during
'account'.
bye,
Sumit
>
> My sssd's config in Ubuntu client is:
>
> [sssd]
> config_file_version = 2
> services = pam
> domains = mydom.org
>
> [pam]
> pam_pwd_expiration_warning = 2
>
> [domain/mydom.org]
> id_provider = proxy
> proxy_lib_name = files
> auth_provider = krb5
> chpass_provider = krb5
> krb5_server = rhelidmsrv01.mydom.org
> krb5_kpasswd = rhelidmsrv01.mydom.org
> krb5_realm = mydom.org
> krb5_ccname_template = KEYRING:persistent:%U
> krb5_validate = true
> cache_credentials = true
>
> What could be the problem?
>
> Best regards,
> C. L. Martinez
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
