Nima Talebi <[email protected]> writes: > On Fri, Dec 11, 2009 at 12:17 AM, Daniel Pittman <[email protected]> wrote: >> Nima Talebi <[email protected]> writes:
[...] >> So, what does 'passwd -S' show for 'darius' on that machine? Specifically, >> does it report something sensible for the status and age fields? > > Well, depends how I've configured nsswitch.conf, so I'll detail both > scenarios... > > If nsswitch contains: > > #. No LDAP here! - PAM LDAP takes over at this point. The `pam_ldap' module > #. from the libpam-ldap package logs into the LDAP server when checking > #. passwords. The pure pam_ldap solution allows limiting logins by how users > #. are stored in the directory (e.g. only allow logins for users in a certain > #. piece of the directory, require some attribute, etc). It also requires > less > #. access rights to the LDAP directory and does not expose password hashes. > shadow: compat > > ...then, I naturally get nothing interesting... > > darius:/var/log# passwd -S nima > nima P ...and this scenario is still reporting "must change password", right? Are you actually using the PAM ldap module? Is that, or some other module like Unix auth, configured to handle password expiration? > If I however replace compat with ldap... > > darius:/var/log# passwd -S nima > nima L 01/01/1970 -1 0 0 -1 > darius:/var/log# > > At which point, the login problem changes to look like.... > > % ssh darius > You are required to change your password immediately (root enforced) > Linux darius 2.6.26-1-amd64 #1 SMP Sat Jan 10 17:57:00 UTC 2009 x86_64 > > The programs included with the Debian GNU/Linux system are free software; > the exact distribution terms for each program are described in the > individual files in /usr/share/doc/*/copyright. > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > permitted by applicable law. > You have new mail. > Last login: Wed Dec 9 06:08:23 2009 from datis > WARNING: Your password has expired. > You must change your password now and login again! > (pam) Please visit http://intranet.autonomy.net.au/ to change your password. > passwd: Permission denied > passwd: password unchanged > Connection to darius closed. > % Hmmmm. That looks suspiciously good to me, if you either followed that link, or configured the passwd PAM entries to use pam_ldap to change the directory password rather than editing shadow. :) >> Also, what does your /etc/pam.d/sshd file look like? I doubt it is >> relevant, but just in case... > > Well it is a little relevant, here are the ones that matter... > > UsePAM yes > PasswordAuthentication yes > ChallengeResponseAuthentication no #. PAM modules don't like "yes" here That isn't the file I asked about, that is /etc/ssh/sshd_config. I want to see how you configured the /etc/pam.d/sshd file, which is what OpenSSH gets to run through with PAM. :) >> Anyway, not a problem I have experienced. (The "can't change password" is, >> but our LDAP / ssh / password auth stuff just works(tm), I fear.) > > Do you use RHEL or Debian, or...? Debian, but it wasn't any more trouble on RHEL a couple of years back. :) Daniel -- ✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
