[SSSD-users] Password expiration in AD with SSSD

Thu, 11 Feb 2021 09:48:28 -0800 

Hi,
I want to warn users when password expiration days are less than 14 days.

I have GPO Default domain policy with this number of days.
I have sssd.conf as:

[sssd]
domains = internal.domain.tld
config_file_version = 2
services = nss, pam

[domain/internal.domain.tld]
cache_credentials = True
debug_level = 6
id_provider = ad
auth_provider = ad
access_provider = ad

default_shell = /bin/bash
fallback_homedir = /home/%d/%u
ldap_id_mapping = True
ldap_schema = ad
enumerate = True
ad_site=internal1

ad_gpo_access_control = permissive

ad_gpo_ignore_unreadable = True

And pam.d as follow:

#%PAM-1.0

auth      sufficient pam_sss.so forward_pass
auth      required   pam_unix.so     try_first_pass nullok
auth      optional    pam_permit.so
auth      required    pam_env.so
#auth      requisite    pam_deny.so

account   required    pam_unix.so
account   [default=bad success=ok user_unknown=ignore]  pam_sss.so
account   optional    pam_permit.so
account   required    pam_time.so

password  required    pam_unix.so     try_first_pass nullok sha512 shadow
password  sufficient                                    pam_sss.so
use_authok
password  optional    pam_permit.so

session   required                                      pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session   required    pam_limits.so
session   required    pam_unix.so
session   optional    pam_sss.so
session   optional    pam_permit.so


User has password valid till 20.02.2020 and yet I don't have any warning.
I had to add ad_gpo_ignore_unreadable = True and ad_gpo_access_control =
permissive to my config because without it I end up with "System error"
during login and unsuccessful login.

In gpo_cache I see Machine gpo with lines:

[Registry Values]
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14

Any idea how to turn on this warning?

Thanks for your help!
-----
Best regards,
Pawel

_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to