Hi, I am having some issues trying to configure sssd to print out a message informing a user if their account is locked out. I thought it would be as simple as setting pam_account_locked_message, but I guess not. I suspect this is an sssd issue, but I suppose it could be a PAM issue. Here is what my sssd.conf file looks like:
[domain/default] debug_level = 8 cache_credentials = True ldap_search_base = ************* ldap_user_search_base = ************* ldap_user_name = cn ldap_group_search_base = ************** id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ***************** ldap_tls_cacert = ******************** ldap_referrals = False enumerate = False access_provider = ldap ldap_access_order = ppolicy [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = default [nss] homedir_substring = /home [pam] pam_verbosity = 3 pam_account_locked_message = "Account locked" [sudo] [autofs] [ssh] [pac] [ifp] And the relevant sections of PAM #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 100 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so I see the following message in the sssd log with a locked out account logging in: (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New operation 1 timeout 6 (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1231d90], connected[1], ops[0x1303b50], ldap[0x12d0010] (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1]. (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [Account Locked]. (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set And this is what showed up in /var/log/secure: Mar 1 22:05:23 adms08 sshd[23044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******** user=********* Mar 1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******* user=******** Mar 1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): received for user *********: 7 (Authentication failure) Mar 1 22:05:25 adms08 sshd[23044]: Failed password for ******* from ********** port 55284 ssh2 I feel like this should give something other than the normal failed password message. Any help would be appreciated. Thanks, Jeff ________________________________ This message is intended only for the use of the intended recipient. If you are not an intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error please destroy all copies of this message and its attachments and notify the sender immediately.
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
