Hello I figured this out.
I needed to set --disablelocauthorize when running authconfig so that users with local entries in my /etc/password file are challenged to change their kerb pw when expired. This must have been the default with RHEL5 but changed in RHEL6. All is well! Thanks David David Brezynski > > Message: 3 > Date: Wed, 29 Apr 2015 12:30:35 -0700 (PDT) > From: David Brezynski <[email protected]> > Subject: RHEL6 not forcing password change when logging in with > expired kerberos password - remote ssh login > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > Hello > > I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 > forcing users to change their kerberos password when it is expired. > > RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I > log in. > > The RHEL6 server knows the kerb pw is expired (and shows the message > "Warning: password has expired.") but then continues to give me an > interactive session (albeit without a valid ticket - klist: No credentials > cache found (ticket cache FILE:/tmp/krb5cc_541)). > > Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted > to change my password: > > kinit > Password for [email protected]: > Password expired. You must change it now. > Enter new password: > > and I'm able to change the password just fine. > > I figure this must be something with pam (system-auth) but after trying a > number of different configurations with the auth level I can't figure it out. > > My system-auth looks like this: > > --------------------------------- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_krb5.so > ----------------------------------- > > Any ideas? > > Thanks! > David > > > > > > ------------------------------ > > _______________________________________________ > Kerberos mailing list > [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > > End of Kerberos Digest, Vol 148, Issue 25 > ***************************************** > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
