#1430 Password change prompt doesn't appear when "User must change password on next logon" is set for a AD user.
Closed: Invalid None Opened 6 years ago by kaushikub.

Domain section of sssd.conf

debug_level = 0xFFF0
id_provider = ad
ad_server = _srv_
dns_discovery_domain = sssdad.com
ad_domain = sssdad.com
chpass_provider = ad
krb5_canonicalize = False

Try to auth as a user(with "User must change password on next logon")

# ssh -l testuser1 localhost
testuser1@localhost's password: 
Permission denied, please try again.
testuser1@localhost's password:

/var/log/sssd/krb5_child.log shows:

(Thu Jul 19 14:08:45 2012) [[sssd[krb5_child[27050]]]] [get_and_save_tgt] (0x0020): 862: [-1765328361][Password has expired]
(Thu Jul 19 14:08:45 2012) [[sssd[krb5_child[27050]]]] [tgt_req_child] (0x1000): Password was expired
(Thu Jul 19 14:08:45 2012) [[sssd[krb5_child[27050]]]] [tgt_req_child] (0x0020): 1141: [-1765328174][Generic preauthentication failure]

/var/log/secure shows:

Jul 19 14:08:45 dhcp201-207 sshd[27048]: pam_sss(sshd:auth): system info: [Generic preauthentication failure]
Jul 19 14:08:45 dhcp201-207 sshd[27048]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=testuser1
Jul 19 14:08:45 dhcp201-207 sshd[27048]: pam_sss(sshd:auth): received for user testuser1: 4 (System error)
Jul 19 14:08:47 dhcp201-207 sshd[27048]: Failed password for testuser1 from ::1 port 54887 ssh2

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0
priority: major => blocker
rhbz: => 0

Fields changed

milestone: SSSD 1.9.0 => SSSD 1.9.0 RC1

Fields changed

owner: somebody => sgallagh
status: new => assigned

Ok, I did some digging today and this appears to be an issue with SSH only. If you try using "login" or "su" to authenticate the user, you are correctly prompted for password-change.

Additionally, this only happens (in my testing) when the user we are trying to log into requires a shell that is not available on the system running the openssh server. From my debugging, it appears that (for reasons unknown), SSH sends garbage in the authtok field of the pam_authenticate() call when the shell is nonexistent. I will be opening a bug against openssh on this.

Kaushik, please check that you have the user's shell installed on the system (or use vetoed_shells and fallback_shell to force it into something you do have) and retest.

proposed_priority: => Undefined

I opened https://bugzilla.redhat.com/show_bug.cgi?id=849241 against openssh in Fedora to address this issue. I'm closing this bug as INVALID. Please reopen it if you can reproduce the issue without an invalid shell in the user identity.

resolution: => invalid
status: assigned => closed

Metadata Update from @kaushikub:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.9.0 beta 7

2 years ago

Login to comment on this ticket.