Hello.
Maybe this is a little off topic, sorry if so.

Faced a strange behavior of server when trying to login a newly created user 
from AD, which have a password must be changed on first login.
Using this user to login via ssh to server feeds to ssh session termination 
without any messages regarding to password expire. If I do kinit this user on 
same server, it does request password change.

In secure log:
Jun  2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1  user=sdemi...@ad.com
Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 user=sdemi...@ad.com
Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): received for user 
sdemi...@ad.com: 12 (Authentication token is no longer valid; new one required)
Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:account): Access denied for 
user sdemi...@ad.com: 6 (Permission denied)
Jun  2 12:18:15 server sshd[9830]: Failed password for sdemi...@ad.com from 
10.10.100.1 port 41859 ssh2
Jun  2 12:18:15 server sshd[9831]: fatal: Access denied for user 
sdemi...@ad.com by PAM account configuration

If I further change the password of user manually from Windows, login works as 
expected.

WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764


________________________________

Информация в этом сообщении предназначена исключительно для конкретных лиц, 
которым она адресована. В сообщении может содержаться конфиденциальная 
информация, которая не может быть раскрыта или использована кем-либо, кроме 
адресатов. Если вы не адресат этого сообщения, то использование, переадресация, 
копирование или распространение содержания сообщения или его части незаконно и 
запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно 
сообщите отправителю об этом и удалите со всем содержимым само сообщение и 
любые возможные его копии и приложения.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. The 
contents may not be disclosed or used by anyone other than the addressee. If 
you are not the intended recipient(s), any use, disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it is 
prohibited and may be unlawful. If you have received this communication in 
error please notify us immediately by responding to this email and then delete 
the e-mail and all attachments and any copies thereof.

(c)20mf50
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to