On 25/10/2016 00:02, Prasun Gera wrote:
I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or the account's expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): received for user uname: 13 (User account has expired)". Is there a setting for default expiration of user accounts ? I don't remember setting it anywhere.

By "account expiration" do you mean the "--principal-expiration" option to ipa user-xxx? Or is there another setting?

Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants

$ egrep '\b13\b' /usr/include/security/*pam*
/usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN     13
/usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13 /* User account has expired */ /usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */

This to me implies it's not looking at the krbPasswordExpiration attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for that instead.

For me, pam_sss seems to handle expiry correctly. For example if I reset an account password (which in turn causes it to expire immediately), and then someone logs in their ssh private key, and subsequently does "sudo", sudo prompts them for the password, tells them it has expired, but gives them the opportunity to change it.

However it's not impossible that the PAM module has some buried logic, e.g. it refuses to use a password which expired more than X days ago. That was the reason for my original question. I guess I should try setting some expiry date way in the past.

The other thing is to look in the source code for pam_sss to see under which conditions it returns PAM_ACCT_EXPIRED. The answer is: when it gets ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn is when we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is "Client's entry in database has expired".


But as has already been said - if the *principal* has expired you shouldn't be able to login with kinit at all.



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to