On (14/01/16 18:38), Jakub Hrozek wrote:
>On Thu, Jan 14, 2016 at 12:09:12PM -0500, Simo Sorce wrote:
>> > OK to push now?
>>
>> Yes please :-)
>>
>> Simo
>
>* master: 19e44537c28f6d5f011cd7ac885c74c1e892605f
I have a question about this patch.
I can see some inconsistencies for expired/disabled user.
Here is a LDIF for expiration of user
dn: cn=$username,$ou,$basedn
changetype: modify
replace: accountExpires
accountExpires: 129465018000000000
and for disabling user
dn: cn=$username,$ou,$basedn
changetype: modify
replace: userAccountControl
userAccountControl: 514
There are test with ssh + password (pam auth)
and ssh + key (pam pam account)
and here is current state with master.
--------------------------------------
disabled AD user
pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission denied)
pam_sss(sshd:account): system info: [The user account is disabled on the AD
server]
pam_sss(sshd:account): Access denied for user testuser01-17923: 6 (Permission
denied)
expired AD user
pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission denied)
pam_sss(sshd:account): system info: [The user account is expired on the AD
server]
pam_sss(sshd:account): Access denied for user testuser01-17923: 13 (User
account has expired)
Previously, we could see info "User account has expired"
even in auth phase. And it's unusual that auth and account returned different
error codes.
I think that this patch fixed "auth" PAM error code for disabled user
but it broke for expired user or did I miss something?
LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
