On Thu, Mar 01, 2018 at 10:15:28PM +0000, Kopera, Jeffrey M wrote: > Hi, > > I am having some issues trying to configure sssd to print out a message > informing a user if their account is locked out. I thought it would be as > simple as setting pam_account_locked_message, but I guess not. I suspect this > is an sssd issue, but I suppose it could be a PAM issue. Here is what my > sssd.conf file looks like: > > [domain/default] > > debug_level = 8 > cache_credentials = True > ldap_search_base = ************* > ldap_user_search_base = ************* > ldap_user_name = cn > ldap_group_search_base = ************** > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_uri = ***************** > ldap_tls_cacert = ******************** > ldap_referrals = False > enumerate = False > access_provider = ldap > ldap_access_order = ppolicy > > [sssd] > services = nss, pam, autofs, ssh > config_file_version = 2 > > domains = default > [nss] > homedir_substring = /home > > [pam] > pam_verbosity = 3 > pam_account_locked_message = "Account locked" > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > And the relevant sections of PAM > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 100 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 100 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > > I see the following message in the sssd log with a locked out account logging > in: > > (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New > operation 1 timeout 6 > (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [sdap_process_result] > (0x2000): Trace: sh[0x1231d90], connected[1], ops[0x1303b50], ldap[0x12d0010] > (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): > Server returned control [1.3.6.1.4.1.42.2.27.8.5.1]. > (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): > Password Policy Response: expire [-1] grace [-1] error [Account Locked]. > (Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x0400): > Bind result: Invalid credentials(49), no errmsg set
As you can see the main response from the server is LDAP_INVALID_CREDENTIALS. To figure out what might be the reason extra checks are needed. Currently has some special handling for Actice Directory but none for OpenLDAP with enabled password policies. Please open an RFE at https://pagure.io/SSSD/sssd/new_issue. bye, Sumit > > And this is what showed up in /var/log/secure: > > Mar 1 22:05:23 adms08 sshd[23044]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******** user=********* > Mar 1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******* user=******** > Mar 1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): received for user > *********: 7 (Authentication failure) > Mar 1 22:05:25 adms08 sshd[23044]: Failed password for ******* from > ********** port 55284 ssh2 > > I feel like this should give something other than the normal failed password > message. > > Any help would be appreciated. > > Thanks, > Jeff > > ________________________________ > > This message is intended only for the use of the intended recipient. If you > are not an intended recipient, you are hereby notified that any use, > dissemination, disclosure or copying of this communication is strictly > prohibited. If you have received this communication in error please destroy > all copies of this message and its attachments and notify the sender > immediately. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
