On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > Did you test that this actually fails with id_provider=ipa? I would > assume the IPA KDC would kick you out and prompt for a new password..
If you're using a password, yes it kicks back and requires you to change it. The problem is if you're not using a password to authenticate, but instead using an SSH key, then it appears there's no hooks to check with IPA if the password (or the principal itself) is expired and the user is allowed to continue to login. The "recommended" way to do this in RHEL6 is to set access_provider to ldap in sssd, but that doesn't seem to cover all cases and doesn't play well with other IPA things (like HBAC) from what I can tell. -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project