PAM/SSSD -- password change prompt not displayed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I have a PAM/SSSD configuration authenticating against Active Directory (using on Red Hat Enterprise Linux 7.x. The [auth] section is configured like below:

auth sufficient forward_pass

In active directory the user is flagged to force password change at next login.

When this particular user logs in the following is logged (sssd logs; debug_level=6):

(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [12 (Authentication token is no longer valid; new one required)][AD] (Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [12]: Authentication token is no longer valid; new one required. (Fri Aug 17 14:02:06 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 19

In /var/log/secure the following items can be found

Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=someuser Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): received for user someuser: 12 (Authentication token is no longer valid; new one required)

The issue being that the user is never prompted to change password, but rather a valid shell is open and user is logged in. The expectation being that the user would be prompted to change password instead.

If the user runs 'passwd' from the command line after being logged in, the password is successfully changed, and the flag to force password change is removed from Active Directory.

If pam_sss fails, which I assume it does based on the message "authentication failure", why is the user never prompted to change password?

Thank You.

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux