David & Brian, I'm familiar with the usual password expiration message that shows up which forces you to change the password. I've seen that before. However, I didn't see it this time, which is odd. Since I was able to kinit, I reset the password, and it started working again. I don't have an account in this failed state currently, but is it possible to force password expiration in order to reproduce this again ? Something like "ipa user-mod myuser --setattr=krbpasswordexpiration=" should work, right ?
On Tue, Oct 25, 2016 at 3:54 AM, Brian Candler <b.cand...@pobox.com> wrote: > On 25/10/2016 00:02, Prasun Gera wrote: > > I've seen some different behaviour. I've had errors for users (including > the admin user) trying to log in with possibly an expired password. Both > webui and ssh would fail, but kinit would work. I'm not sure if this is > related to the password's expiration or the account's expiration. My > /var/log/secure has messages like "pam_sss(sshd:auth): received for user > uname: 13 (User account has expired)". Is there a setting for default > expiration of user accounts ? I don't remember setting it anywhere. > > By "account expiration" do you mean the "--principal-expiration" option to > ipa user-xxx? Or is there another setting? > Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants > > $ egrep '\b13\b' /usr/include/security/*pam* > /usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN > 13 > /usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13 /* User > account has expired */ > /usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE 13 /* The > type for pam_get_authtok */ > > This to me implies it's not looking at the krbPasswordExpiration > attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for > that instead. > > For me, pam_sss seems to handle expiry correctly. For example if I reset > an account password (which in turn causes it to expire immediately), and > then someone logs in their ssh private key, and subsequently does "sudo", > sudo prompts them for the password, tells them it has expired, but gives > them the opportunity to change it. > > However it's not impossible that the PAM module has some buried logic, > e.g. it refuses to use a password which expired more than X days ago. That > was the reason for my original question. I guess I should try setting some > expiry date way in the past. > > The other thing is to look in the source code for pam_sss to see under > which conditions it returns PAM_ACCT_EXPIRED. The answer is: when it gets > ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn is when > we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is "Client's entry > in database has expired". > > http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5- > admin/Kerberos-V5-Library-Error-Codes.html > > But as has already been said - if the *principal* has expired you > shouldn't be able to login with kinit at all. > > Regards, > > Brian. >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project