Learn more about these different git repos.
Other Git URLs
Domain section of sssd.conf
debug_level = 0xFFF0
id_provider = ad
ad_server = _srv_
dns_discovery_domain = sssdad.com
ad_domain = sssdad.com
chpass_provider = ad
krb5_canonicalize = False
Try to auth as a user(with "User must change password on next logon")
# ssh -l testuser1 localhost
Permission denied, please try again.
(Thu Jul 19 14:08:45 2012) [[sssd[krb5_child]]] [get_and_save_tgt] (0x0020): 862: [-1765328361][Password has expired]
(Thu Jul 19 14:08:45 2012) [[sssd[krb5_child]]] [tgt_req_child] (0x1000): Password was expired
(Thu Jul 19 14:08:45 2012) [[sssd[krb5_child]]] [tgt_req_child] (0x0020): 1141: [-1765328174][Generic preauthentication failure]
Jul 19 14:08:45 dhcp201-207 sshd: pam_sss(sshd:auth): system info: [Generic preauthentication failure]
Jul 19 14:08:45 dhcp201-207 sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=testuser1
Jul 19 14:08:45 dhcp201-207 sshd: pam_sss(sshd:auth): received for user testuser1: 4 (System error)
Jul 19 14:08:47 dhcp201-207 sshd: Failed password for testuser1 from ::1 port 54887 ssh2
milestone: NEEDS_TRIAGE => SSSD 1.9.0
priority: major => blocker
rhbz: => 0
milestone: SSSD 1.9.0 => SSSD 1.9.0 RC1
owner: somebody => sgallagh
status: new => assigned
Ok, I did some digging today and this appears to be an issue with SSH only. If you try using "login" or "su" to authenticate the user, you are correctly prompted for password-change.
Additionally, this only happens (in my testing) when the user we are trying to log into requires a shell that is not available on the system running the openssh server. From my debugging, it appears that (for reasons unknown), SSH sends garbage in the authtok field of the pam_authenticate() call when the shell is nonexistent. I will be opening a bug against openssh on this.
Kaushik, please check that you have the user's shell installed on the system (or use vetoed_shells and fallback_shell to force it into something you do have) and retest.
proposed_priority: => Undefined
I opened https://bugzilla.redhat.com/show_bug.cgi?id=849241 against openssh in Fedora to address this issue. I'm closing this bug as INVALID. Please reopen it if you can reproduce the issue without an invalid shell in the user identity.
resolution: => invalid
status: assigned => closed
Metadata Update from @kaushikub:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.9.0 beta 7
to comment on this ticket.