[Freeipa-users] Re: [EXTERNAL] have users reset password

[Johan Vermeulen via FreeIPA-users]

Hallo Daniel, hello Dirk,

yes, both commands work.
Problem solved I would say.
Thank you very much!

Greetings, J.

Op di 10 dec. 2019 om 14:12 schreef White, Daniel E. (GSFC-770.0)[NICS] via
FreeIPA-users :

> A thought:
>
> If a user logs in to a laptop, then does a "kinit", can they then do a
> "kpasswd" to update their password ?
>
>
>
>
> *__*
>
>
>
> *Daniel E. White*
> *daniel.e.wh...@nasa.gov *
>
>
>
>
>
> *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road
> Building 14, Room E175 Greenbelt, MD 20771*
>
> *Office: (301) 286-6919*
>
> *Mobile: (240) 513-5290*
>
>
>
> *From: *Johan Vermeulen via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>
> *Reply-To: *FreeIPA users list 
> *Date: *Tuesday, December 10, 2019 at 07:56
> *To: *FreeIPA users list 
> *Cc: *Johan Vermeulen 
> *Subject: *[EXTERNAL] [Freeipa-users] have users reset password
>
>
>
> Hello All,
>
>
>
> so we have some 200 laptops who are ipa-clients.
>
>
>
> At the moment the only way for the users on these laptops to reset their
> passwords is to wait until the password expires.
>
> Than they get a message on the login screen and they can reset the
> password.
>
>
>
> I would like to have an alternative method.
>
>
>
> Have them login to the Freeipa server is the obvious, but here they see
> too much information, like all the users.
>
>
>
> Is there another way to have users reset their passwords?
>
>
>
> Many thanks, J.
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] have users reset password

[Johan Vermeulen via FreeIPA-users]

Hello All,

so we have some 200 laptops who are ipa-clients.

At the moment the only way for the users on these laptops to reset their
passwords is to wait until the password expires.
Than they get a message on the login screen and they can reset the password.

I would like to have an alternative method.

Have them login to the Freeipa server is the obvious, but here they see too
much information, like all the users.

Is there another way to have users reset their passwords?

Many thanks, J.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

[Johan Vermeulen via FreeIPA-users]

Hello,

That works!!
My bugreport update mainly was about trouble with chrony andere ntp.
With no-ntp option I can enroll Debian clients.

This is serieus good news.
Thanks you!

Greetz, j.

Op za 16 feb. 2019 11:46 schreef Timo Aaltonen  On 16.2.2019 10.40, Johan Vermeulen via FreeIPA-users wrote:
> > Hello,
> >
> > thanks for helping me out.
> > I have replied tot the bug report, additional info is in there.
> > I am nog yet familiar with bug report etiquette, wasn't sure where to
> > reply to.
>
> for some reason that reply never got to me.. anyway, if you don't use
> chrony you should probably use '--no-ntp' for ipa-client-install
>
>
> --
> t
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

[Johan Vermeulen via FreeIPA-users]

Hello,

thanks for helping me out.
I have replied tot the bug report, additional info is in there.
I am nog yet familiar with bug report etiquette, wasn't sure where to reply
to.

Greetings, J.




Op za 16 feb. 2019 09:21 schreef Timo Aaltonen via FreeIPA-users <
freeipa-users@lists.fedorahosted.org:

> On 11.2.2019 15.19, Johan Vermeulen via FreeIPA-users wrote:
> > Hello All,
> >
> > I'm seeing package freeipa-client now in Debian 10 Buster, that is great!
> > But ipa-client-install fails:
> >
> > Joining realm failed: http response code is 500, not 200
>
> I asked you a question on the bug report, but you haven't replied?
>
>
>
> --
> t
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

[Johan Vermeulen via FreeIPA-users]

Hello All,

I'm seeing package freeipa-client now in Debian 10 Buster, that is great!
But ipa-client-install fails:

Joining realm failed: http response code is 500, not 200

greetings, J.

Op do 7 feb. 2019 om 17:24 schreef Johan Vermeulen :

> Hello,
>
> thanks for al the work on this.
>
> In the mean time I guess the freeze is already there.
> So how does it go from here with Buster/freeipa?
>
> Grtz j.
>
>
> Op vr 11 jan. 2019 om 11:43 schreef Timo Aaltonen via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> On 11.1.2019 12.10, Alexander Bokovoy wrote:
>> > On pe, 11 tammi 2019, Timo Aaltonen via FreeIPA-users wrote:
>> >> On 10.1.2019 0.14, Eric Engstrom via FreeIPA-users wrote:
>>  one option would be to only build freeipa-client, but that'd leave
>>  anyone using the server out in the cold.
>> >>>
>> >>> Since some of us are running the server on different distros, what do
>> >>> you see as the blockers to getting freeipa-client into debian,
>> >>> presumably without -server?
>> >>>
>> >>> And, in the interest of moving this forward, where should I look to
>> >>> contribute to getting freeipa-client up on debian (buster, or ).
>> >>
>> >> Actually, nss-pem got accepted so the last (functional) blocker is now
>> >> kinda fixed for the client.
>> >>
>> >> The server is still blocked on other things, like Dogtag being broken
>> >> with current java even while everything builds and should work with
>> it..
>> > Timo,
>> >
>> > could you describe in more detail what is missing/blocked?
>>
>> What's missing is a working CA :) I sent a message to pki-users@ about
>> this.
>>
>> Other than that it needs update to 4.7.2 (now at 4.7.1), testing etc, so
>> the usual maintenance.. It's been a couple of months since I was able to
>> get a server up because of other components. And nss-pem is very fresh
>> on Debian. Once Dogtag is fixed I'm sure there will be new minor issues
>> since the last time. Still a month to go before Buster is frozen.
>>
>> One thing to mention separately is missing support for opendnssec 2.x,
>> since Fedora is still on 1.4.x...
>> https://pagure.io/freeipa/issue/6873
>>
>> I'm not sure how much work is left to be done. Opendnssec got a new
>> maintainer this week, maybe we'll be able to sort this out together..
>>
>> --
>> t
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

[Johan Vermeulen via FreeIPA-users]

Hello,

thanks for al the work on this.

In the mean time I guess the freeze is already there.
So how does it go from here with Buster/freeipa?

Grtz j.


Op vr 11 jan. 2019 om 11:43 schreef Timo Aaltonen via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> On 11.1.2019 12.10, Alexander Bokovoy wrote:
> > On pe, 11 tammi 2019, Timo Aaltonen via FreeIPA-users wrote:
> >> On 10.1.2019 0.14, Eric Engstrom via FreeIPA-users wrote:
>  one option would be to only build freeipa-client, but that'd leave
>  anyone using the server out in the cold.
> >>>
> >>> Since some of us are running the server on different distros, what do
> >>> you see as the blockers to getting freeipa-client into debian,
> >>> presumably without -server?
> >>>
> >>> And, in the interest of moving this forward, where should I look to
> >>> contribute to getting freeipa-client up on debian (buster, or ).
> >>
> >> Actually, nss-pem got accepted so the last (functional) blocker is now
> >> kinda fixed for the client.
> >>
> >> The server is still blocked on other things, like Dogtag being broken
> >> with current java even while everything builds and should work with it..
> > Timo,
> >
> > could you describe in more detail what is missing/blocked?
>
> What's missing is a working CA :) I sent a message to pki-users@ about
> this.
>
> Other than that it needs update to 4.7.2 (now at 4.7.1), testing etc, so
> the usual maintenance.. It's been a couple of months since I was able to
> get a server up because of other components. And nss-pem is very fresh
> on Debian. Once Dogtag is fixed I'm sure there will be new minor issues
> since the last time. Still a month to go before Buster is frozen.
>
> One thing to mention separately is missing support for opendnssec 2.x,
> since Fedora is still on 1.4.x...
> https://pagure.io/freeipa/issue/6873
>
> I'm not sure how much work is left to be done. Opendnssec got a new
> maintainer this week, maybe we'll be able to sort this out together..
>
> --
> t
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

[Johan Vermeulen via FreeIPA-users]

Hello All,

thanks for the replie, I really appreciate it.
I will try with the package from snapshot.debian.org.

greetings, J.

Op zo 2 dec. 2018 om 10:43 schreef Timo Aaltonen :

> On 30.11.2018 18.28, Johan Vermeulen via FreeIPA-users wrote:
> > Hello All,
> >
> > first of all,  we have great success running Freeipa and Freeipa-clients
> > on Centos.
> > Thanks for making this possible! I think this is a really important
> > peace of software for Linux.
> >
> > Now it would come in handy if I could field some Debian clients for some
> > purposes.
> > But on the current stable release there is no freeipa client.
> > I have installed some freeipa-clients from unstable, but it's not ideal.
>
> There won't be official freeipa packages in a Debian release until
> certain blockers are fixed:
>
> - certmonger fully ported to openssl (to avoid requiring nss-pem)
> - Dogtag ported to JDK11 (WIP, likely not going to happen soon enough
> for buster)
> - Dogtag ported to newer resteasy (who knows when)
>
> one option would be to only build freeipa-client, but that'd leave
> anyone using the server out in the cold.
>
>
> --
> t
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] is anyone running Debian as freeipa-client

[Johan Vermeulen via FreeIPA-users]

Hello All,

first of all,  we have great success running Freeipa and Freeipa-clients on
Centos.
Thanks for making this possible! I think this is a really important peace
of software for Linux.

Now it would come in handy if I could field some Debian clients for some
purposes.
But on the current stable release there is no freeipa client.
I have installed some freeipa-clients from unstable, but it's not ideal.

I'm wondering, is anyone doing this at the moment.
Is there some repo for this?
Can this be compiled from source?

Thanks for any help.

Greetings, J.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

[Johan Vermeulen via FreeIPA-users]

Jakub,

it could be that lightdm now only display EM. But on Centos7.3 everything
worked.
I tested further and with the same setup but with GDM this works. I get
passwd expired and other messages.

Before posting on this mailing list I posted on Lightdm mailing list but
got no response.
Does anybody know how to get hold of these guys?

Greetings, J.

2018-01-09 19:40 GMT+01:00 Jakub Hrozek :

> On Tue, Jan 09, 2018 at 12:48:39PM +0100, Johan Vermeulen wrote:
> > Hello Jakub,
> >
> > thanks for helping me out.
> >
> > It works in the console. when an expired user logs in via ctl-alt-f
> he
> > gets all the warnings.
>
> OK, then the warnings are even passed to lightdm..
>
> Is there any chance lightdm doesn't display all PAM messages but only
> those with errors?
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

[Johan Vermeulen via FreeIPA-users]

Hello Jakub,

thanks for helping me out.

It works in the console. when an expired user logs in via ctl-alt-f he
gets all the warnings.
I will try to increase pam verbosity and report back.

Greetings, J.

2018-01-08 14:59 GMT+01:00 Jakub Hrozek :

> On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote:
> > Hello All,
> >
> > I "ve set up a new machine for this test and increased the log levels to
> 6.
> > Config for Freeipa-client is done with ipa-client-install, I use chrony
> in
> > stead of ntp and Selinux is enabled.
> >
> > When user logs in /var/log/secure indicates:
> >
> > [root@node1 ~]# tail -f /var/log/secure
> > Jan  5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user
> > jvanvlasselaer: 7 (Authentication failure)
> > Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication
> > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer
> > Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user
> > jvanvlasselaer: 12 (Authentication token is no longer valid; new one
> > required)
> > Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info
> message:
> > Password expired. Change your password now.
> > Jan  5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user
> > "jvanvlasselaer" does not exist in /etc/passwd
> >
> > But the lightdm gui screen indicates nothing.
> >
>
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200):
> > received: [12 (Authenticatietoken is niet langer geldig; nieuwe is
> > vereist)][network.cawdekempen.be]
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> > called with result [12]: Authenticatietoken is niet langer geldig; nieuwe
> > is vereist.
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100):
> > [pam_response_filter] not available, not fatal.
> > (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39
>
> Here I at least see that the message did reach the sssd_pam process and I
> don't see anything that would indicate that the message was filtered out
> (OTOH, the debugging is not stellar in this area of code..)
>
> I've never used lightdm, did you maybe test with some other login
> method, like login to the console or su from another non-root user?
>
> Does it help to increase pam_verbosity in the [pam] section (see man
> sssd.conf for a description) ?
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

[Johan Vermeulen via FreeIPA-users]

Hello,

apologies for the late reply, due to the holidays.

I had a call from a user this morning, she had to do multiple login
attempts and reboot several times before she could login.

Trying to follow
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

I assume the general setup works, as troubles only show up when password
expires.
On the  users laptop:

[root@lremijsen ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor
preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
   └─journal.conf
   Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago
  Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
 Main PID: 757 (sssd)
   CGroup: /system.slice/sssd.service
   ├─757 /usr/sbin/sssd -D -f
   ├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be
--uid 0 --gid 0 --debug-to-files
   ├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
   ├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files
   ├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
   ├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
   └─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files

jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2
jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2
jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2

In /var/log/secure there is always a clear message that the password is
expired:

Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): authentication failure; logname=
uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen
Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): received for user lremijsen: 12
(Authenticatietoken is niet langer geldig; nieuwe is vereist)
Jan  4 10:06:14 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen.
Verander nu uw wachtwoord.

sssd_pam.log only shows:

(Tue Jan  2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010):
SIGTERM: killing children

   sssd_network.cawdekempen.be.log only shows:

(Tue Jan  2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]]
[orderly_shutdown] (0x0010): SIGTERM: killing children

I suppose I have to increase the log levels?

Many many thanks for the help!

greetings, J.



2017-12-21 22:01 GMT+01:00 Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> This sounds like a bug, could you follow https://docs.pagure.org/SSSD.
> sssd/users/troubleshooting.html, gather logs from the pam and domain
> sections and post them here? If the password is expired, then pam_sss
> should send a message to the login manager which the login manager should
> display.
>
> The logs would at least show if the deamon is sending the message to
> pam_sss…
>
> > On 21 Dec 2017, at 09:39, Johan Vermeulen via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> >
> > Hello All,
> >
> > We run some 200 Centos7/Mate laptops, since last year they authenticate
> against freeipa.
> > Lightdm/Mate are installed using epel repo.
> >
> > On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password
> expired, users would get the passwd expired field, the "new password" field
> en warnings if the made a mistake.
> > Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly
> wrong. Users very often get no warning if a password expired, just an
> authentication failure.
> > Or they get no message at all.
> >
> > If at that point you got to ttyand log in you do get the warnings on
> the command line.
> > The log files /var/log/secure also give clear password expired messages,
> only the user sees nothing.
> >
> > This is a big problem because users cannot login and cannot work without
> interventions.
> >
> > Many thanks for any help.
> >
> > Greetings, J.
> > ___
> > FreeIPA-user

[Freeipa-users] Centos7.4: users not seeing password expired notifications

[Johan Vermeulen via FreeIPA-users]

Hello All,

We run some 200 Centos7/Mate laptops, since last year they authenticate
against freeipa.
Lightdm/Mate are installed using epel repo.

On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password
expired, users would get the passwd expired field, the "new password" field
en warnings if the made a mistake.
Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly wrong.
Users very often get no warning if a password expired, just an
authentication failure.
Or they get no message at all.

If at that point you got to ttyand log in you do get the warnings on
the command line.
The log files /var/log/secure also give clear password expired messages,
only the user sees nothing.

This is a big problem because users cannot login and cannot work without
interventions.

Many thanks for any help.

Greetings, J.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org