On (20/11/14 09:39), Seth Sims wrote: >Dear Lukas, > >In this case it's ssh. I just tried it using su - and it worked as >expected. > >- Seth >>>> su - worked >$ su - test-user >Password: >Password expired. Change your password now. >Current Password: >New password: >Retype new password: > >>>>>>>>>>>>>>>>> pam section of auth people for ssh that did not prompt >[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 >[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. >[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS >method [pamHandler] >[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus >message, quit >[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received >SBUS method [pamHandler] >[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request >domain from [auth-people] to [auth-people] >[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the >following data >[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED >[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people >[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user >[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd >[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh >[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: >[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** >[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set >[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result >[0][auth-people] >[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 >[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. >[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS >method [pamHandler] >[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus >message, quit >[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received >SBUS method [pamHandler] >[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request >domain from [auth-people] to [auth-people] >[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the >following data >[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION >[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people >[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user >[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd >[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh >[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: >[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** >[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set >[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result >[0][auth-people] >[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 >[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. >[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS >method [pamHandler] >[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus >message, quit >[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received >SBUS method [pamHandler] >[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request >domain from [auth-people] to [auth-people] >[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the >following data >[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED >[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people >[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user >[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd >[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh >[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: >[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** >[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 0 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27192 >[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set >[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result >[0][auth-people] > >>>>>>>>>>> /etc/pam/password-auth >auth required pam_env.so >auth sufficient pam_unix.so nullok try_first_pass >auth requisite pam_succeed_if.so uid >= 500 quiet >auth sufficient pam_sss.so use_first_pass >auth required pam_deny.so > >account required pam_access.so >account sufficient pam_unix.so broken_shadow >account sufficient pam_localuser.so >account sufficient pam_succeed_if.so uid < 500 quiet >account [default=bad success=ok user_unknown=ignore] pam_sss.so >account required pam_permit.so > >password requisite pam_cracklib.so try_first_pass retry=3 type= >password sufficient pam_unix.so md5 shadow nullok try_first_pass >use_authtok >password sufficient pam_sss.so use_authtok >password required pam_deny.so > >session optional pam_keyinit.so revoke >session required pam_limits.so >session [success=1 default=ignore] pam_succeed_if.so service in crond >quiet use_uid >session required pam_unix.so >session optional pam_sss.so > >>>>>>>>>>>>>> /etc/pam/sshd >auth required pam_sepermit.so >auth include password-auth >account required pam_nologin.so >account include password-auth >password include password-auth ># pam_selinux.so close should be the first session rule >session required pam_selinux.so close >session required pam_loginuid.so ># pam_selinux.so open should only be followed by sessions to be executed in >the user context >session required pam_selinux.so open env_params >session optional pam_keyinit.so force revoke >session include password-auth > >>>>>>>>>>>>>>> /var/log/secure >sshd[27189]: pam_sss(sshd:auth): received for user test-user: 12 >(Authentication token is no longer valid; new one required) The pam error code 12(PAM_NEW_AUTHTOK_REQD) was not lost.
>sshd[27189]: Accepted password for test-user from ***.***.***.*** port >50120 ssh2 >sshd[27189]: pam_unix(sshd:session): session opened for user test-user by >(uid=0) I have no idea why it was ignored by sshd. LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
