PAM/SSSD/AD - user not prompted to change password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have a PAM/SSSD configuration authenticating against Active Directory (using pam_sss.so) on Red Hat Enterprise Linux 7.x. The [auth] section is configured like below:

auth sufficient pam_sss.so forward_pass

In active directory the user is flagged to force password change at next login.

When this particular user logs in the following is logged (sssd logs; debug_level=6):

(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [12 (Authentication token is no longer valid; new one required)][AD] (Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [12]: Authentication token is no longer valid; new one required. (Fri Aug 17 14:02:06 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 19

In /var/log/secure the following items can be found

Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=someuser Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): received for user someuser: 12 (Authentication token is no longer valid; new one required)

The issue being that the user is never prompted to change password, but rather a valid shell is open and user is logged in. The expectation being that the user would be prompted to change password instead.

If the user runs 'passwd' from the command line after being logged in, the password is successfully changed, and the flag to force password change is removed from Active Directory.

If pam_sss fails, which I assume it does based on the message "authentication failure", why is the user never prompted to change password?

Thank You.
Scott

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux