I have a PAM/SSSD configuration authenticating against Active Directory
(using pam_sss.so) on Red Hat Enterprise Linux 7.x. The [auth] section
is configured like below:
auth sufficient pam_sss.so forward_pass
In active directory the user is flagged to force password change at next
login.
When this particular user logs in the following is logged (sssd logs;
debug_level=6):
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [12 (Authentication token is no longer valid; new one
required)][AD]
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [12]: Authentication token is no longer valid; new
one required.
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 19
In /var/log/secure the following items can be found
Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
user=someuser
Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): received for
user someuser: 12 (Authentication token is no longer valid; new one
required)
The issue being that the user is never prompted to change password, but
rather a valid shell is open and user is logged in. The expectation
being that the user would be prompted to change password instead.
If the user runs 'passwd' from the command line after being logged in,
the password is successfully changed, and the flag to force password
change is removed from Active Directory.
If pam_sss fails, which I assume it does based on the message
"authentication failure", why is the user never prompted to change
password?
Thank You.
Scott
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
