For a users very first, (as in never logged in before and will have to
set new password), login attempt via GDM, the password change will fail
and the user will be unable to log in.

Now if the user has already set a password the login works fine. I
haven't tested after the password expires but I suspect it will be the
same as above.

The salient errors (I believe) in the logs are the following:

Jan  9 18:33:34 host.name pam: gdm-password[5056]:
pam_unix(gdm-password:auth): authe
ntication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
user=user_name
Jan  9 18:33:34 host.name pam: gdm-password[5056]:
pam_sss(gdm-password:auth): system
 info: [Password has expired]
Jan  9 18:33:34 host.name pam: gdm-password[5056]:
pam_sss(gdm-password:auth): authen
tication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user_name
Jan  9 18:33:34 host.name pam: gdm-password[5056]:
pam_sss(gdm-password:auth): receiv
ed for user user_name: 12 (Authentication token is no longer valid; new
one r
equired)
Jan  9 18:33:35 host.name pam: gdm-password[5056]:
pam_sss(gdm-password:account): Use
r info message: Password expired. Change your password now.
Jan  9 18:33:35 host.name pam: gdm-password[5056]:
pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
/etc/passwd
Jan  9 18:33:51 host.name pam: gdm-password[5056]:
pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
/etc/passwd
Jan  9 18:33:52 host.name pam: gdm-password[5056]:
pam_sss(gdm-password:chauthtok): system info: [Generic error (see e-text)]
Jan  9 18:33:52 host.name pam: gdm-password[5056]:
pam_sss(gdm-password:chauthtok): User info message: Password change
failed. Server message: Failed to decrypt password
Jan  9 18:33:52 host.name pam: gdm-password[5056]:
pam_sss(gdm-password:chauthtok): Password change failed for user
user_name: 20 (Authentication token manipulation error)

The KDC logs, don't shed a huge amount of light:
Jan 09 18:33:34 ipa.server krb5kdc[2379](info): AS_REQ (4 etypes {18 17 16
23}) 74.93.225.129: CLIENT KEY EXPIRED: user_n...@realm.com for
krbtgt/realm....@realm.com, Password has expired
Jan 09 18:33:34 ipa.server krb5kdc[2377](info): AS_REQ (4 etypes {18 17 16
23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com for kadmin/changepw@
REALM.COM, Additional pre-authentication required
Jan 09 18:33:34 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
23}) 74.93.225.129: ISSUE: authtime 1326134014, etypes {rep=18 tkt=18
ses=18}, user_n...@realm.com for kadmin/chang...@realm.com
Jan 09 18:33:39 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com for kadmin/changepw@
REALM.COM, Additional pre-authentication required
Jan 09 18:33:39 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
23}) 74.93.225.129: ISSUE: authtime 1326134019, etypes {rep=18 tkt=18
ses=18}, user_n...@realm.com for kadmin/chang...@realm.com
Jan 09 18:33:51 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com for kadmin/changepw@
REALM.COM, Additional pre-authentication required

After doing some testing while writing this message it appears that
kpasswd and even the sshd login fail as well in the same way.

A copy of /etc/pam.d/system-auth for completeness:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
minlen=14       dcredit=-1      ucredit=-1      ocredit=-1      lcredit=0
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok   remember=12
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session optional        pam_motd.so     motd=/etc/motd

Let me know any thoughts on the matter,

-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to