On Fri, Jan 29, 2016 at 03:22:23PM +0100, Lukas Slebodnik wrote: > On (14/01/16 18:38), Jakub Hrozek wrote: > >On Thu, Jan 14, 2016 at 12:09:12PM -0500, Simo Sorce wrote: > >> > OK to push now? > >> > >> Yes please :-) > >> > >> Simo > > > >* master: 19e44537c28f6d5f011cd7ac885c74c1e892605f > I have a question about this patch. > > I can see some inconsistencies for expired/disabled user. > > Here is a LDIF for expiration of user > dn: cn=$username,$ou,$basedn > changetype: modify > replace: accountExpires > accountExpires: 129465018000000000 > > and for disabling user > dn: cn=$username,$ou,$basedn > changetype: modify > replace: userAccountControl > userAccountControl: 514 > > > There are test with ssh + password (pam auth) > and ssh + key (pam pam account)
I will try to take a look when I work on https://fedorahosted.org/sssd/ticket/2927 (unless you just started on that ticket and this is how you found out..in that case self-assign the ticket, please.. At any rate, thanks for the heads up.) > > and here is current state with master. > -------------------------------------- > disabled AD user > pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission > denied) > > pam_sss(sshd:account): system info: [The user account is disabled on the AD > server] > pam_sss(sshd:account): Access denied for user testuser01-17923: 6 > (Permission denied) > > expired AD user > pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission > denied) > > pam_sss(sshd:account): system info: [The user account is expired on the AD > server] > pam_sss(sshd:account): Access denied for user testuser01-17923: 13 (User > account has expired) > > > Previously, we could see info "User account has expired" > even in auth phase. And it's unusual that auth and account returned different > error codes. I think the difference is because the auth phase converts the error PAM code from Kerberos error code, while the account phase looks at the adUserAccountControl sysdb attribute. Chances are we need to take a look if our handling of the attribute values is correct. > > I think that this patch fixed "auth" PAM error code for disabled user > but it broke for expired user or did I miss something? I think those should be completely independent, the AD provider should read the info in sdap_account_expired_ad(). But this is based just on reading the code, I haven't actually done any tests. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
