[SSSD] Re: [PATCH] fix account lockout reporting with the krb5 provider

Sun, 31 Jan 2016 08:54:05 -0800 

Expired != Disabled
this change is intentional.

Simo.

----- Original Message -----
> From: "Lukas Slebodnik" <lsleb...@redhat.com>
> To: "Development of the System Security Services Daemon" 
> <sssd-devel@lists.fedorahosted.org>
> Cc: "Simo Sorce" <s...@redhat.com>
> Sent: Friday, January 29, 2016 9:22:23 AM
> Subject: Re: [SSSD] Re: [PATCH] fix account lockout reporting with the krb5 
> provider
> 
> On (14/01/16 18:38), Jakub Hrozek wrote:
> >On Thu, Jan 14, 2016 at 12:09:12PM -0500, Simo Sorce wrote:
> >> > OK to push now?
> >> 
> >> Yes please :-)
> >> 
> >> Simo
> >
> >* master: 19e44537c28f6d5f011cd7ac885c74c1e892605f
> I have a question about this patch.
> 
> I can see some inconsistencies for expired/disabled user.
> 
> Here is a LDIF for expiration of user
>         dn: cn=$username,$ou,$basedn
>         changetype: modify
>         replace: accountExpires
>         accountExpires: 129465018000000000
> 
> and for disabling user
>         dn: cn=$username,$ou,$basedn
>         changetype: modify
>         replace: userAccountControl
>         userAccountControl: 514
> 
> 
> There are test with ssh + password (pam auth)
> and ssh + key (pam pam account)
> 
> and here is current state with master.
> --------------------------------------
> disabled AD user
>   pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission
>   denied)
> 
>   pam_sss(sshd:account): system info: [The user account is disabled on the AD
>   server]
>   pam_sss(sshd:account): Access denied for user testuser01-17923: 6
>   (Permission denied)
> 
> expired AD user
>   pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission
>   denied)
> 
>   pam_sss(sshd:account): system info: [The user account is expired on the AD
>   server]
>   pam_sss(sshd:account): Access denied for user testuser01-17923: 13 (User
>   account has expired)
> 
> 
> Previously, we could see info "User account has expired"
> even in auth phase. And it's unusual that auth and account returned different
> error codes.
> 
> I think that this patch fixed "auth" PAM error code for disabled user
> but it broke for expired user or did I miss something?
> 
> LS
> 
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

Reply via email to