Bug 1887077
Summary: | Incorrect password expiry warning | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James <james> |
Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 33 | CC: | 2013temp2013temp, abokovoy, atikhono, besser82, ipedrosa, jhrozek, ldelouw, lslebodn, mzidek, pbrezina, rharwood, sbose, ssorce, sssd-maintainers, tmraz, u.volmer |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pam-1.4.0-6.fc33 pam-1.3.1-28.fc32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-02 01:11:02 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James
2020-10-10 16:34:17 UTC
Hi, thanks for the report, can you add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart SSSD, log in again and look for 'exp_time:' in krb5_child.log. This should be the original timestamp in seconds returned by the KDC minus the current time in seconds since UNIX epoch. bye, Sumit The only exp_time line I have is: (2020-10-12 11:57:56): [krb5_child[142069]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [1766686] One thing I've just noticed is if I su to myself (rather than ssh to localhost), I get 'Warning: your password will expire in 0 days.' -- also not really in the spirit of correctness, since I've since disabled password expiry in my FreeIPA account (stored as a numerically zero-time expiry). Hi, thanks, so the original expiration time seems to be correct. What makes me wonder is that the message "Warning: your password will expire in ..." does not match what SSSD's pam_sss would generate, this would look like 'Your password will expire in ...'. A message starting with 'Warning: ...' might be generated by pam_unix. Do you, by chance, have users with the same name in /etc/passwd and matching data in /etc/shadow? bye, Sumit The user name concerned isn't present in /etc/passwd or /etc/shadow, it's purely IPA-based. I also tried clearing out the sssd cache, but the problem remains. The affected machines were set up as IPA clients by the usual means, by running ipa-client-install --mkhomedir --no-ntp. So this could be a PAM misconfiguration... do you want me to attach /etc/nsswitch.conf or something from /etc/pam.d ? (In reply to James from comment #4) > The user name concerned isn't present in /etc/passwd or /etc/shadow, it's > purely IPA-based. > > I also tried clearing out the sssd cache, but the problem remains. > > The affected machines were set up as IPA clients by the usual means, by > running ipa-client-install --mkhomedir --no-ntp. So this could be a PAM > misconfiguration... do you want me to attach /etc/nsswitch.conf or something > from /etc/pam.d ? Hi, please check the journal (or /var/log/secure if you use this style of logging) for messages from the time of the authentication. On a tet system I can see messages like: Oct 14 12:26:21 f33.rhel75.devel sshd[9844]: pam_unix(sshd:account): password for user testsc1 will expire in 32767 days or Oct 14 12:20:11 f33.rhel75.devel su[9798]: pam_unix(su:account): password for user testsc1 will expire in 0 days which are in agreement to your observations but as can be seen really are coming from pam_unix. I'll change the component to 'pam', Iker, can you have a look, it looks like you really need F33 with pam-1.4.0 to reproduce this. bye, Sumit The problem was already fixed by Tomas Mraz upstream and it only applies to pam-1.4.0 release. I'll port it downstream in the following days. By the way, it wasn't a format printing error but an uninitialized variable. * master: db6b293046aee4735f3aa2d1713742ed4b533219 - Fix missing initialization of daysleft (In reply to Iker Pedrosa from comment #6) > The problem was already fixed by Tomas Mraz upstream and it only applies to > pam-1.4.0 release. I'll port it downstream in the following days. By the > way, it wasn't a format printing error but an uninitialized variable. Thanks! Stack garbage would've been by second guess ;) Hi, When will it be in the update repository? We are waiting for it. Thank you (In reply to 2013temp2013temp from comment #9) > Hi, > > When will it be in the update repository? We are waiting for it. > > Thank you The fix is in pam-1.4.0-6.fc34 which is in Koji. An fc33 build should be there soon, but you can build from the same SRPM. Hi, I know NIS/YP is old stuff but we had many releases in a row, including fedora 33 which prevents users from logging till patches are released or switching between nscd and sssd etc... I would really appreciate one test on NIS logging before releasing a new fedora. Please FEDORA-2020-cdf799e9ec has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-cdf799e9ec FEDORA-2020-cdf799e9ec has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-cdf799e9ec` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-cdf799e9ec See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. ok took it from testing repository works fine thanks FEDORA-2020-cdf799e9ec has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-543e7c2021 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-543e7c2021 FEDORA-2020-543e7c2021 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-543e7c2021` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-543e7c2021 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-543e7c2021 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |