Unfortunately I've been swapping tasks enough that I keep forgetting where I left off here. But I'm pretty sure the problem was that sssd would stop a user who was disabled (as you mention) but not if they were expired, either the account itself with krbPrincipalExpiration or the password with krbPasswordExpiration. I know that one does not get a ticket automatically if using ssh public key authentication, which is fine, but there's a specific mention in the link I referenced (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html) that basically if you do this, then sssd will consult for password expiration and warn the user accordingly. That's what I need to happen, and would like it to be native IPA-ish calls, rather than LDAP which is what I need to set it to if I want that functionality (which then also causes other problems, such as losing HBAC and having to set a filter I've yet to get right to allow users to login to anything).
So if there's a chance of swinging the vote the other way, I'll keep beating my drum :D On Thu, Apr 21, 2016 at 3:37 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Thu, Apr 21, 2016 at 01:26:19PM -0400, Steve Huston wrote: >> On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote: >> > Did you test that this actually fails with id_provider=ipa? I would >> > assume the IPA KDC would kick you out and prompt for a new password.. >> >> If you're using a password, yes it kicks back and requires you to >> change it. The problem is if you're not using a password to >> authenticate, but instead using an SSH key, then it appears there's no >> hooks to check with IPA if the password (or the principal itself) is >> expired and the user is allowed to continue to login. The >> "recommended" way to do this in RHEL6 is to set access_provider to >> ldap in sssd, but that doesn't seem to cover all cases and doesn't >> play well with other IPA things (like HBAC) from what I can tell. > > Then in my opinion SSSD is behaving correctly there. It wouldn't let in > a locked user (it would check the nsaccountlock attribute), but I'm not > sure it would be correct to check krbPasswordExpiration if you're using > a completely different method to authenticate.. > > Moreover, if you login through an SSH key, you don't get a ticket on > login and you can't kinit, so you can't access any network resources > anyway.. > > But to be honest, this is something we discussed even among IPA > developers and we're not in total agreement here either, so maybe others > will overrule me :) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project