#1953 System error while trying to auth as an expired user
Closed: Fixed None Opened 7 years ago by kaushikub.

Version of sssd used is sssd-1.10.0-7.fc20.beta1

# ssh -l user05 localhost    <== A password-less auth(public key in ssh/authorized_keys)
Connection closed by ::1

sssd.conf domain section has:

[domain/AD]
id_provider = ldap
ldap_uri = ldaps://adserver.example.com
ldap_tls_cacert = /etc/openldap/certs/ad_cert.pem
ldap_schema = ad
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok = XXXXX
ldap_search_base = dc=example,dc=com
ldap_force_upper_case_realm = True
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy=ad
ldap_referrals = false

/var/log/secure shows:

May 24 08:52:31 dhcp207-114 sshd[8403]: pam_sss(sshd:account): system
info: [The user account is expired on the AD server]
May 24 08:52:31 dhcp207-114 sshd[8403]: pam_sss(sshd:account): Access
denied for user user05: 4 (System error)
May 24 08:52:31 dhcp207-114 sshd[8403]: fatal: Access denied for user
user05 by PAM account configuration [preauth]

domain log shows:

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler] (0x0100): Got
request with the following data
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
command: PAM_ACCT_MGMT
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
domain: AD
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100): user:
user05
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
service: sshd
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100): tty:
ssh
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
ruser:
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
rhost: localhost
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
authtok type: 0
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100): priv:
1
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
cli_pid: 8403
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_access_send] (0x0400):
Performing access check for user [user05]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0xb817a260

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0xb817a2c0

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Destroying timer
event 0xb817a2c0 "ltdb_timeout"

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Ending timer
event 0xb817a260 "ltdb_callback"

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired_ad]
(0x0400): Performing AD access check for user [user05]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired_ad]
(0x4000): User account control for user [user05] is [200].
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired_ad]
(0x4000): Expiration time for user [user05] is [129465018000000000].
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired] (0x0020):
sdap_account_expired_ad failed.
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_access_done] (0x0020):
Error retrieving access check result.
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler_callback]
(0x0100): Sending result [4][AD]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler_callback]
(0x0100): Sent result [4][AD]

Might be a dup of #1827. Jakub will investigate.

Not a duplicate, this is a new bug.

changelog: =>
priority: major => critical

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0

Fields changed

rhbz: => 0

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @kaushikub:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.10.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2995

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata