[Freeipa-users] AD user password change via ssh login

Tue Jun 2 11:41:43 UTC 2015

On Tue, Jun 02, 2015 at 10:24:35AM +0000, Alexander Frolushkin wrote:
> Hello Jakub!
> Thank you for respond, I'll comment in text
> 
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
> Sent: Tuesday, June 02, 2015 1:24 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD user password change via ssh login
> 
> On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote:
> >> Hello.
> >> Maybe this is a little off topic, sorry if so.
> >
> >> Faced a strange behavior of server when trying to login a newly created user from AD, which have a password must be changed on first login.
> >> Using this user to login via ssh to server feeds to ssh session termination without any messages regarding to password expire. If I do kinit this user on same server, it does request password change.
> >>
> >> In secure log:
> >> Jun  2 12:18:15 server sshd[9830]: pam_unix(sshd:auth): authentication
> >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.100.1
> >> user=sdemiden at ad.com Jun  2 12:18:15 server sshd[9830]:
> >> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> >> tty=ssh ruser= rhost=10.10.100.1 user=sdemiden at ad.com Jun  2 12:18:15
> >> server sshd[9830]: pam_sss(sshd:auth): received for user
> >> sdemiden at ad.com: 12 (Authentication token is no longer valid; new one
> >> required) Jun  2 12:18:15 server sshd[9830]: pam_sss(sshd:account):
> >> Access denied for user sdemiden at ad.com: 6 (Permission denied)
> 
> >It would be interesting to see the logs, because you're being denied in the account phase, where I would expect the user being either expired, locked or denied by HBAC rules.
> Do you mean sssd logs in debug?

Yes,in the domain section of sssd.con

> 
> >Does the login work with such user if you (temporarily!!) set access_provider=permit ?
> Yes, it does. With this it asks to change password as usual.

Then it would be really interesting to see the domain logs to see which
part of access provider denies access.

> 
> >> Jun  2 12:18:15 server sshd[9830]: Failed password for sdemiden at ad.com
> >> from 10.10.100.1 port 41859 ssh2 Jun  2 12:18:15 server sshd[9831]:
> >> fatal: Access denied for user sdemiden at ad.com by PAM account
> >> configuration
> >>
> >> If I further change the password of user manually from Windows, login works as expected.
> >>
> >> WBR,
> >> Alexander Frolushkin
> >> Cell +79232508764
> >> Work +79232507764
> >
> 
> ________________________________
> 
> Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения.
> 
> The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.
> 
> (c)20mf50