Linux password change/expiration issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
        I am trying to get password expiration to work on FC5/FDS 1.0.2
and having mixed results. I have set a user's shadowAccount attributes
as expired using the following values (with today being 13452):

shadowFlag: 0
shadowExpire: -1
shadowInactive: -1
shadowWarning: 0
shadowMax: 1
shadowMin: 1
shadowLastChange: 13452

All seems well when I log in.

You are required to change your LDAP password immediately.
Last login: Wed Nov  1 07:51:14 2006 from lin1000
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fjones.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for fjones
passwd: all authentication tokens updated successfully.
Connection to lin2600 closed.

Except I get booted off and this is the /var/log/secure  

Nov  1 07:55:18 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd 
Nov  1 07:55:29 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd 
Nov  1 07:55:29 lin2600 sshd[17557]: pam_unix(sshd:session): session closed for user fjones

Attempts to log in again accept the new password, which has changed in LDAP,
but I am asked to go through the same loop of changing the password again. 
The shadow* attributes are NOT changed however. So that's either my culprit 
or maybe the PAM password entries are not right. That looks like this:

password    requisite     pam_cracklib.so try_first_pass retry=3 password    
sufficient  pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

Finally, at the end of this document:

(http://directory.fedora.redhat.com/wiki/Howto:PAM)

It says to add the following to enable password expirations.

dn: cn=config
changetype: modify
add: passwordExp
passwordExp: on
-
add: passwordMaxAge
passwordMaxAge: 8640000

But my other tests seem to indicate some parts of expiration in fact
work. Is the above entry neccessary?

Thanks so much.

-- 
- Kyle 
---------------------------------------------
kylet at panix.com   http://www.panix.com/~kylet    
---------------------------------------------
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux