On (14/01/16 18:38), Jakub Hrozek wrote: >On Thu, Jan 14, 2016 at 12:09:12PM -0500, Simo Sorce wrote: >> > OK to push now? >> >> Yes please :-) >> >> Simo > >* master: 19e44537c28f6d5f011cd7ac885c74c1e892605f I have a question about this patch.
I can see some inconsistencies for expired/disabled user. Here is a LDIF for expiration of user dn: cn=$username,$ou,$basedn changetype: modify replace: accountExpires accountExpires: 129465018000000000 and for disabling user dn: cn=$username,$ou,$basedn changetype: modify replace: userAccountControl userAccountControl: 514 There are test with ssh + password (pam auth) and ssh + key (pam pam account) and here is current state with master. -------------------------------------- disabled AD user pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission denied) pam_sss(sshd:account): system info: [The user account is disabled on the AD server] pam_sss(sshd:account): Access denied for user testuser01-17923: 6 (Permission denied) expired AD user pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission denied) pam_sss(sshd:account): system info: [The user account is expired on the AD server] pam_sss(sshd:account): Access denied for user testuser01-17923: 13 (User account has expired) Previously, we could see info "User account has expired" even in auth phase. And it's unusual that auth and account returned different error codes. I think that this patch fixed "auth" PAM error code for disabled user but it broke for expired user or did I miss something? LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org