Changing the pam_verbosity to 2 or 3 had no affect. It doesn't tell the user
their account is locked but everything shows up in syslog or sssd domain log
fine.
I've looked through pam_sss.c and if I am understanding correctly, this block
of code seems to be what is putting the message into syslog:
case SSS_PAM_SYSTEM_INFO:
if (buf[p + (len -1)] != '\0') {
D(("system info does not end with \\0."));
break;
}
logger(pamh, LOG_INFO, "system info: [%s]", &buf[p]);
break;
The the account locked message is coming back from the BE tagged as
SSS_PAM_SYSTEM_INFO instead of SSS_PAM_USER_INFO which is where the other
messages related to expired passwords, grace logins, etc get processed. So I
suspect there is no way to let the user know there account is locked directly
since there is no corrasponding user message function in pam_sss.c.
But if I am wrong, please let me know :).
Thanks,
-Brad
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - [email protected]
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - [email protected]
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - [email protected]
________________________________________
From: [email protected]
<[email protected]> on behalf of Jakub Hrozek
<[email protected]>
Sent: Wednesday, November 27, 2013 11:34 AM
To: [email protected]
Subject: Re: [SSSD] sssd_be not telling user account is locked?
On Wed, Nov 27, 2013 at 03:28:13PM +0000, Viviano, Brad wrote:
> Hello,
> I have a RHEL6 server running sssd 1.9.2-129 (Redhat RPM). I've
> configured it to talk to my LDAP server, which is OpenLDAP. OpenLDAP doesn't
> nativly support account locking via ldap_ns_account_lock so I added a schema
> extension so I could set a an account locked when needed. Everything is
> working fine having ldap_account_expire_policy set to rhds, but I was
> wondering if there was an option in sssd to provide a message to the user
> directly that the account is locked when they try and login. All the user
> sees is (as an example):
>
> $ ssh -o bviviano@myhost
> bviviano@myhost's password:
> Your password will expire in 6 day(s).
> Connection closed
>
> If I look in /var/log/secure I see this message:
>
> Nov 27 10:03:44 smtools sshd[17267]: pam_sss(sshd:account): system info: [The
> user account is locked on the server]
>
> I can see the account is locked and my sssd log for that domain shows the
> account is locked:
>
> (Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [sdap_account_expired_rhds]
> (0x0400): Performing RHDS access check for user [bviviano]
> (Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [sdap_account_expired_rhds]
> (0x4000): Account for user [bviviano] is locked.
> (Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (0, 6, <NULL>) [Success]
>
> I'd just like to provide that information back to the user directly in this
> case, if its an option.
>
> Thanks,
> -Brad Viviano
Hi Brad,
can you test if the message appears if you set pam_verbosity=2 in the
[pam] section if the sssd.conf ?
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
