Bug 1522928
| Summary: | sssd doesn't allow user with expired password to login when PasswordgraceLimit set | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Niranjan Mallapadi Raghavender <mniranja> | ||||||
| Component: | sssd | Assignee: | Fabiano FidĂȘncio <fidencio> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.5 | CC: | fidencio, grajaiya, jhrozek, lslebodn, mkosek, mniranja, mzidek, pbrezina, sgoveas, tscherf | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | sssd-1.16.2-9.el7 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2018-10-30 10:41:19 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Niranjan Mallapadi Raghavender
2017-12-06 18:34:44 UTC
Created attachment 1363861 [details]
Attaching sssd-debug logs when sssd was configured with 389-ds-base-1.3.7.5-10.el7 .
Created attachment 1363862 [details]
Attaching sssd-debug logs when sssd was configured with 389-ds-base-1.3.6.1-19.el7_4.
Refer:https://bugzilla.redhat.com/show_bug.cgi?id=1464505 where this change was introduced in 389-ds In my first comment i mentioned In earlier versions of 389-ds-base (i.e 389-ds-base-1.3.7.5-4.el7 and above), password expired control was not sent and sssd would allow the expired user to attemp Login till passwordGracelimit is 0 By earlier vesion i meant 389-ds-base-1.3.6.1-19 and earlier, (not 389-ds-base-1.3.7.5-4.el7 ), Sorry for typo Upstream ticket: https://pagure.io/SSSD/sssd/issue/3597 * master: 954bf82b60b7cfd93b865a6618f155d042b15729 Versions: sssd-winbind-idmap-1.16.2-7.el7.x86_64 sssd-client-1.16.2-11.el7.x86_64 sssd-common-1.16.2-11.el7.x86_64 sssd-ipa-1.16.2-11.el7.x86_64 sssd-dbus-1.16.2-11.el7.x86_64 sssd-1.16.2-11.el7.x86_64 sssd-libwbclient-1.16.2-7.el7.x86_64 python-sssdconfig-1.16.2-11.el7.noarch sssd-krb5-common-1.16.2-11.el7.x86_64 sssd-ad-1.16.2-11.el7.x86_64 sssd-ldap-1.16.2-11.el7.x86_64 sssd-proxy-1.16.2-11.el7.x86_64 sssd-tools-1.16.2-11.el7.x86_64 sssd-kcm-1.16.2-11.el7.x86_64 sssd-common-pac-1.16.2-11.el7.x86_64 sssd-krb5-1.16.2-11.el7.x86_64 Directory Server Version: 389-ds-base-1.3.8.4-9.el7.x86_64 1. Configure Directory server with Global password policies: passwordMaxAge=1, passwordExp=on, and passwordGracelimit=3 2. Configure system to authenticate with sssd using ldap provider # cat /etc/sssd/sssd.conf [sssd] domains = LDAP config_file_version = 2 services = nss, pam [domain/LDAP] enumerate = false id_provider = ldap ldap_uri = ldap://host-8-251-85.host.centralci.eng.rdu2.redhat.com ldap_search_base = dc=example,dc=test ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem auth_provider = ldap debug_level = 9 [pam] debug_level = 9 offline_credentials_expiration = 0 Manual Verification: [root@host-8-251-85 yum.repos.d]# ssh -o StrictHostKeyChecking=no -l student3 localhost student3@localhost's password: Your password has expired. You have 2 grace login(s) remaining. Last login: Fri Aug 3 05:19:32 2018 from localhost Could not chdir to home directory /home/student3: No such file or directory -bash-4.2$ passwd Changing password for user student3. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. -bash-4.2$ logout Connection to localhost closed. [root@host-8-251-85 yum.repos.d]# ssh -o StrictHostKeyChecking=no -l student3 localhost student3@localhost's password: Your password has expired. You have 2 grace login(s) remaining. Last login: Fri Aug 3 05:21:12 2018 from localhost Could not chdir to home directory /home/student3: No such file or directory -bash-4.2$ logout Connection to localhost closed. [root@host-8-251-85 yum.repos.d]# ssh -o StrictHostKeyChecking=no -l student3 localhost student3@localhost's password: Your password has expired. You have 1 grace login(s) remaining. Last login: Fri Aug 3 05:21:33 2018 from localhost Could not chdir to home directory /home/student3: No such file or directory -bash-4.2$ logout Connection to localhost closed. [root@host-8-251-85 yum.repos.d]# ssh -o StrictHostKeyChecking=no -l student3 localhost student3@localhost's password: Permission denied, please try again. student3@localhost's password: Your password has expired. You have 0 grace login(s) remaining. Last failed login: Fri Aug 3 05:22:15 EDT 2018 from localhost on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Fri Aug 3 05:21:59 2018 from localhost Could not chdir to home directory /home/student3: No such file or directory -bash-4.2$ logout Connection to localhost closed. [root@host-8-251-85 yum.repos.d]# ssh -o StrictHostKeyChecking=no -l student3 localhost student3@localhost's password: Password expired. Change your password now. Last login: Fri Aug 3 05:22:18 2018 from localhost WARNING: Your password has expired. You must change your password now and login again! Changing password for user student3. Current Password: Write failed: Broken pipe Automated Verification through CI. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Display last grace login bz954323 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: modifying entry "cn=config" spawn ssh -o StrictHostKeyChecking=no -l ppuser1 localhost ppuser1@localhost's password: Your password has expired. You have 2 grace login(s) remaining. Last login: Thu Aug 2 14:02:14 2018 from localhost Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/sssd-rhel-7.6-candidate-runtest-ldap-provider-ldap_id_ldap_auth/32/ Could not chdir to home directory /home/ppuser1: No such file or directory /usr/bin/id: cannot find name for group ID 23579 -bash-4.2$ :: [ 14:02:18 ] :: [ PASS ] :: File '/var/log/secure' should contain 'You have 2 grace login(s) remaining' spawn ssh -o StrictHostKeyChecking=no -l ppuser1 localhost ppuser1@localhost's password: Your password has expired. You have 1 grace login(s) remaining. Last login: Thu Aug 2 14:02:18 2018 from localhost Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/sssd-rhel-7.6-candidate-runtest-ldap-provider-ldap_id_ldap_auth/32/ Could not chdir to home directory /home/ppuser1: No such file or directory /usr/bin/id: cannot find name for group ID 23579 -bash-4.2$ :: [ 14:02:18 ] :: [ PASS ] :: File '/var/log/secure' should contain 'You have 1 grace login(s) remaining' spawn ssh -o StrictHostKeyChecking=no -l ppuser1 localhost ppuser1@localhost's password: Your password has expired. You have 0 grace login(s) remaining. Last login: Thu Aug 2 14:02:18 2018 from localhost Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/sssd-rhel-7.6-candidate-runtest-ldap-provider-ldap_id_ldap_auth/32/ Could not chdir to home directory /home/ppuser1: No such file or directory /usr/bin/id: cannot find name for group ID 23579 -bash-4.2$ :: [ 14:02:18 ] :: [ PASS ] :: File '/var/log/secure' should contain 'You have 0 grace login(s) remaining' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3158 |