On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote:
> Hello.
> Maybe this is a little off topic, sorry if so.
> 
> Faced a strange behavior of server when trying to login a newly created user 
> from AD, which have a password must be changed on first login.
> Using this user to login via ssh to server feeds to ssh session termination 
> without any messages regarding to password expire. If I do kinit this user on 
> same server, it does request password change.
> 
> In secure log:
> Jun  2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1  
> user=sdemi...@ad.com
> Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1 
> user=sdemi...@ad.com
> Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:auth): received for user 
> sdemi...@ad.com: 12 (Authentication token is no longer valid; new one 
> required)
> Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:account): Access denied for 
> user sdemi...@ad.com: 6 (Permission denied)

It would be interesting to see the logs, because you're being denied in
the account phase, where I would expect the user being either expired,
locked or denied by HBAC rules.

Does the login work with such user if you (temporarily!!) set
access_provider=permit ?

> Jun  2 12:18:15 server sshd[9830]: Failed password for sdemi...@ad.com from 
> 10.10.100.1 port 41859 ssh2
> Jun  2 12:18:15 server sshd[9831]: fatal: Access denied for user 
> sdemi...@ad.com by PAM account configuration
> 
> If I further change the password of user manually from Windows, login works 
> as expected.
> 
> WBR,
> Alexander Frolushkin
> Cell +79232508764
> Work +79232507764
> 
> 
> ________________________________
> 
> Информация в этом сообщении предназначена исключительно для конкретных лиц, 
> которым она адресована. В сообщении может содержаться конфиденциальная 
> информация, которая не может быть раскрыта или использована кем-либо, кроме 
> адресатов. Если вы не адресат этого сообщения, то использование, 
> переадресация, копирование или распространение содержания сообщения или его 
> части незаконно и запрещено. Если Вы получили это сообщение ошибочно, 
> пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем 
> содержимым само сообщение и любые возможные его копии и приложения.
> 
> The information contained in this communication is intended solely for the 
> use of the individual or entity to whom it is addressed and others authorized 
> to receive it. It may contain confidential or legally privileged information. 
> The contents may not be disclosed or used by anyone other than the addressee. 
> If you are not the intended recipient(s), any use, disclosure, copying, 
> distribution or any action taken or omitted to be taken in reliance on it is 
> prohibited and may be unlawful. If you have received this communication in 
> error please notify us immediately by responding to this email and then 
> delete the e-mail and all attachments and any copies thereof.
> 
> (c)20mf50

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to