On Tue, Jun 02, 2015 at 10:24:35AM +0000, Alexander Frolushkin wrote:
> Hello Jakub!
> Thank you for respond, I'll comment in text
> 
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Tuesday, June 02, 2015 1:24 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] AD user password change via ssh login
> 
> On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote:
> >> Hello.
> >> Maybe this is a little off topic, sorry if so.
> >
> >> Faced a strange behavior of server when trying to login a newly created 
> >> user from AD, which have a password must be changed on first login.
> >> Using this user to login via ssh to server feeds to ssh session 
> >> termination without any messages regarding to password expire. If I do 
> >> kinit this user on same server, it does request password change.
> >>
> >> In secure log:
> >> Jun  2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication
> >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1
> >> user=sdemi...@ad.com Jun  2 12:18:15 server sshd[9830]:
> >> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> >> tty=ssh ruser= rhost=10.10.100.1 user=sdemi...@ad.com Jun  2 12:18:15
> >> server sshd[9830]: pam_sss(sshd:auth): received for user
> >> sdemi...@ad.com: 12 (Authentication token is no longer valid; new one
> >> required) Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:account):
> >> Access denied for user sdemi...@ad.com: 6 (Permission denied)
> 
> >It would be interesting to see the logs, because you're being denied in the 
> >account phase, where I would expect the user being either expired, locked or 
> >denied by HBAC rules.
> Do you mean sssd logs in debug?

Yes,in the domain section of sssd.con

> 
> >Does the login work with such user if you (temporarily!!) set 
> >access_provider=permit ?
> Yes, it does. With this it asks to change password as usual.

Then it would be really interesting to see the domain logs to see which
part of access provider denies access.

> 
> >> Jun  2 12:18:15 server sshd[9830]: Failed password for sdemi...@ad.com
> >> from 10.10.100.1 port 41859 ssh2 Jun  2 12:18:15 server sshd[9831]:
> >> fatal: Access denied for user sdemi...@ad.com by PAM account
> >> configuration
> >>
> >> If I further change the password of user manually from Windows, login 
> >> works as expected.
> >>
> >> WBR,
> >> Alexander Frolushkin
> >> Cell +79232508764
> >> Work +79232507764
> >
> 
> ________________________________
> 
> Информация в этом сообщении предназначена исключительно для конкретных лиц, 
> которым она адресована. В сообщении может содержаться конфиденциальная 
> информация, которая не может быть раскрыта или использована кем-либо, кроме 
> адресатов. Если вы не адресат этого сообщения, то использование, 
> переадресация, копирование или распространение содержания сообщения или его 
> части незаконно и запрещено. Если Вы получили это сообщение ошибочно, 
> пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем 
> содержимым само сообщение и любые возможные его копии и приложения.
> 
> The information contained in this communication is intended solely for the 
> use of the individual or entity to whom it is addressed and others authorized 
> to receive it. It may contain confidential or legally privileged information. 
> The contents may not be disclosed or used by anyone other than the addressee. 
> If you are not the intended recipient(s), any use, disclosure, copying, 
> distribution or any action taken or omitted to be taken in reliance on it is 
> prohibited and may be unlawful. If you have received this communication in 
> error please notify us immediately by responding to this email and then 
> delete the e-mail and all attachments and any copies thereof.
> 
> (c)20mf50

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to