#1953 System error while trying to auth as an expired user
Closed: Fixed None Opened 5 years ago by kaushikub.

Version of sssd used is sssd-1.10.0-7.fc20.beta1

# ssh -l user05 localhost    <== A password-less auth(public key in ssh/authorized_keys)
Connection closed by ::1

sssd.conf domain section has:

[domain/AD]
id_provider = ldap
ldap_uri = ldaps://adserver.example.com
ldap_tls_cacert = /etc/openldap/certs/ad_cert.pem
ldap_schema = ad
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok = XXXXX
ldap_search_base = dc=example,dc=com
ldap_force_upper_case_realm = True
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy=ad
ldap_referrals = false

/var/log/secure shows:

May 24 08:52:31 dhcp207-114 sshd[8403]: pam_sss(sshd:account): system
info: [The user account is expired on the AD server]
May 24 08:52:31 dhcp207-114 sshd[8403]: pam_sss(sshd:account): Access
denied for user user05: 4 (System error)
May 24 08:52:31 dhcp207-114 sshd[8403]: fatal: Access denied for user
user05 by PAM account configuration [preauth]

domain log shows:

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler] (0x0100): Got
request with the following data
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
command: PAM_ACCT_MGMT
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
domain: AD
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100): user:
user05
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
service: sshd
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100): tty:
ssh
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
ruser:
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
rhost: localhost
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
authtok type: 0
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100): priv:
1
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [pam_print_data] (0x0100):
cli_pid: 8403
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_access_send] (0x0400):
Performing access check for user [user05]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0xb817a260

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0xb817a2c0

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Destroying timer
event 0xb817a2c0 "ltdb_timeout"

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [ldb] (0x4000): Ending timer
event 0xb817a260 "ltdb_callback"

(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired_ad]
(0x0400): Performing AD access check for user [user05]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired_ad]
(0x4000): User account control for user [user05] is [200].
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired_ad]
(0x4000): Expiration time for user [user05] is [129465018000000000].
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_account_expired] (0x0020):
sdap_account_expired_ad failed.
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [sdap_access_done] (0x0020):
Error retrieving access check result.
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler_callback]
(0x0100): Sending result [4][AD]
(Fri May 24 08:52:31 2013) [sssd[be[AD]]] [be_pam_handler_callback]
(0x0100): Sent result [4][AD]

Might be a dup of #1827. Jakub will investigate.

Not a duplicate, this is a new bug.

changelog: =>
priority: major => critical

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0

Fields changed

rhbz: => 0

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @kaushikub:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.10.0

2 years ago

Login to comment on this ticket.

Metadata