On 25/10/2016 00:02, Prasun Gera wrote:
I've seen some different behaviour. I've had errors for users
(including the admin user) trying to log in with possibly an expired
password. Both webui and ssh would fail, but kinit would work. I'm not
sure if this is related to the password's expiration or the account's
expiration. My /var/log/secure has messages like "pam_sss(sshd:auth):
received for user uname: 13 (User account has expired)". Is there a
setting for default expiration of user accounts ? I don't remember
setting it anywhere.
By "account expiration" do you mean the "--principal-expiration" option
to ipa user-xxx? Or is there another setting?
Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants
$ egrep '\b13\b' /usr/include/security/*pam*
/usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN 13
/usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13 /*
User account has expired */
/usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE 13 /* The
type for pam_get_authtok */
This to me implies it's not looking at the krbPasswordExpiration
attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for
For me, pam_sss seems to handle expiry correctly. For example if I reset
an account password (which in turn causes it to expire immediately), and
then someone logs in their ssh private key, and subsequently does
"sudo", sudo prompts them for the password, tells them it has expired,
but gives them the opportunity to change it.
However it's not impossible that the PAM module has some buried logic,
e.g. it refuses to use a password which expired more than X days ago.
That was the reason for my original question. I guess I should try
setting some expiry date way in the past.
The other thing is to look in the source code for pam_sss to see under
which conditions it returns PAM_ACCT_EXPIRED. The answer is: when it
gets ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn
is when we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is
"Client's entry in database has expired".
But as has already been said - if the *principal* has expired you
shouldn't be able to login with kinit at all.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project