#2299 Password-less login is allowed for expired ad user
Closed: duplicate 5 years ago by jhrozek. Opened 9 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1081046

Description of problem:
Passwordless login works for expired ad user

Version-Release number of selected component (if applicable):
1.11.2-61

How reproducible:
Always

Steps to Reproduce:
1. User is expired on the ad server.

2. sssd.conf has:
[domain/sssdad2012.com]
debug_level = 0xFFF0
id_provider = ad
ad_server = kauwin.sssdad2012.com
ad_domain = sssdad2012.com
access_provider = ad
fallback_homedir = /home/%u

3. Try to auth as the user
# ssh -l testuser01 localhost
testuser01@localhost's password:
Permission denied, please try again.
testuser01@localhost's password:

4. /var/log/secure shows:
Mar 26 17:19:01 dhcp207-186 sshd[26869]: pam_sss(sshd:auth): received for user
testuser01: 13 (User account has expired)

5. Now, setup password-less auth using ssh public key.

6. Auth as the user
# ssh -l testuser01 localhost
Last login: Wed Mar 26 16:57:55 2014 from localhost
-sh-4.2$    <== User login should have failed

Actual results:
Password-less user login works

Expected results:
User login should have failed.

Additional info:

We should eventually just connect to LDAP, not GC, at least with access control. The GC turns out to be quite useless over time with so many attributes we rely on not being replicated to GC.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 beta

Workaround is to disable GC in the sssd.conf.

Fields changed

mark: => 0

Fields changed

milestone: SSSD 1.13 beta => SSSD 1.13 backlog

Mass-moving tickets not planned for the 1.13 release to 1.14

milestone: SSSD 1.13 backlog => SSSD 1.14 beta

Fields changed

priority: major => minor
sensitive: => 0

This feature depends on implementing the S4U2Self functionality which is a stretch goal for 1.14, so I'm moving this ticket to backlog.

milestone: SSSD 1.14 beta => SSSD 1.14 backlog

Since the 1.14 branch is transitioning into maintenance mode and new functionality is being developed in master which will become 1.15 eventually, I'm mass-moving tickets from the 1.14 backlog milestone to the "Future releases" milestone.

milestone: SSSD 1.14 backlog => SSSD Future releases (no date set yet)

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

7 years ago

This was fixed by fixing issue #2474

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3341

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata