Expired != Disabled this change is intentional. Simo.
----- Original Message ----- > From: "Lukas Slebodnik" <lsleb...@redhat.com> > To: "Development of the System Security Services Daemon" > <sssd-devel@lists.fedorahosted.org> > Cc: "Simo Sorce" <s...@redhat.com> > Sent: Friday, January 29, 2016 9:22:23 AM > Subject: Re: [SSSD] Re: [PATCH] fix account lockout reporting with the krb5 > provider > > On (14/01/16 18:38), Jakub Hrozek wrote: > >On Thu, Jan 14, 2016 at 12:09:12PM -0500, Simo Sorce wrote: > >> > OK to push now? > >> > >> Yes please :-) > >> > >> Simo > > > >* master: 19e44537c28f6d5f011cd7ac885c74c1e892605f > I have a question about this patch. > > I can see some inconsistencies for expired/disabled user. > > Here is a LDIF for expiration of user > dn: cn=$username,$ou,$basedn > changetype: modify > replace: accountExpires > accountExpires: 129465018000000000 > > and for disabling user > dn: cn=$username,$ou,$basedn > changetype: modify > replace: userAccountControl > userAccountControl: 514 > > > There are test with ssh + password (pam auth) > and ssh + key (pam pam account) > > and here is current state with master. > -------------------------------------- > disabled AD user > pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission > denied) > > pam_sss(sshd:account): system info: [The user account is disabled on the AD > server] > pam_sss(sshd:account): Access denied for user testuser01-17923: 6 > (Permission denied) > > expired AD user > pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission > denied) > > pam_sss(sshd:account): system info: [The user account is expired on the AD > server] > pam_sss(sshd:account): Access denied for user testuser01-17923: 13 (User > account has expired) > > > Previously, we could see info "User account has expired" > even in auth phase. And it's unusual that auth and account returned different > error codes. > > I think that this patch fixed "auth" PAM error code for disabled user > but it broke for expired user or did I miss something? > > LS > _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org