On Thu, Feb 19, 2015 at 11:17:38AM +0100, Jakub Hrozek wrote: > On Thu, Feb 19, 2015 at 10:54:21AM +0100, Sumit Bose wrote: > > As a side note, when using IPA or AD with passwords already the > > authentication fails for expired account and it looks like ssh does not > > show PAM messages during the authentication phase, you will only see: > > This reminded me that we had a bug a long time ago that insisted on > checking the krbPrincipalExpiration attribute during the account phase. > I still have the patch in one of my old branches, but it doesn't apply > anymore. > > Would it make sense to merge that code as well now that we're touching > the sdap access code at all?
I haven't checked but if might be already covered by Pavel's "SDAP: enable change phase of pw expire policy check" patch. I plan to review this next and will check with krbPrincipalExpiration as well. bye, Sumit > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
