#2323 Expired shadow policy user(shadowLastChange=0) is not prompted for password change
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1089250

Description of problem:
User with expired shadow policy is not prompted for password change when
shadowLastChange is 0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Disable any server side password policies.
2. Set ldap_pwd_policy = shadow in sssd.conf
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://<ldapserver>
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
ldap_search_base = dc=example,dc=com
ldap_pwd_policy = shadow

3. Set shadowLastChange to 0 in the user ldap attribute.
# ldapsearch -x -LLL -h <ldapserver> -b "dc=example,dc=com" uid=shadowuser1
dn: uid=shadowuser1,ou=People,dc=example,dc=com
uid: shadowuser1
cn: shadowuser1
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9901
gidNumber: 9901
homeDirectory: /home/shadowuser1

4. Auth as the user
# ssh -l shadowuser1 localhost
shadowuser1@localhost's password:
Permission denied, please try again.
shadowuser1@localhost's password:

Actual results:
Password change prompt does not appear.
/var/log/sssd/sssd_LDAP.log shows:
(Fri Apr 18 06:35:22 2014) [sssd[be[LDAP]]]
[find_password_expiration_attributes] (0x4000): Found shadow password
expiration attributes.
(Fri Apr 18 06:35:22 2014) [sssd[be[LDAP]]] [check_pwexpire_shadow] (0x0100):
Last change day is not set, new password needed.
(Fri Apr 18 06:35:22 2014) [sssd[be[LDAP]]] [sdap_pam_auth_done] (0x0020):
check_pwexpire_shadow failed.

/var/log/secure shows:
Apr 18 06:35:22 beast sshd[18105]: pam_sss(sshd:auth): received for user
shadowuser1: 4 (System error)

Expected results:
Password change prompt should appear.

Additional info:
With server side password policies enabled, the following is seen:
# ssh -l shadowuser1 localhost
shadowuser1@localhost's password:
Your password has expired. You have 1 grace login(s) remaining.
[shadowuser1@ibm-z10-51 ~]$

Do not disable server password policies. Relying only on shadow is not secure and thus not a preferred method.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD Deferred
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: SSSD Deferred => SSSD 1.12.1

Requested by downstream for inclusion sooner.

milestone: SSSD 1.12.1 => SSSD 1.11.7
owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.7

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3365

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.