Bug 190256

Summary: pam_ldap won't allow expired password changes
Product: Red Hat Enterprise Linux 4 Reporter: Jose Plans <jplans>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jplans, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugzilla.padl.com/show_bug.cgi?id=268
Whiteboard:
Fixed In Version: RHBA-2007-0267 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 17:31:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 176344    
Attachments:
Description Flags
Fix force change password after reset none

Description Jose Plans 2006-04-29 13:01:32 UTC 
Description of problem:
If a ldap account has expired, pam_ldap won't force the change.

Version-Release number of selected component (if applicable):
pam_ldap revision 176.
RHEL4 package: nss_ldap-226-10-i386

How reproducible:
Always.

Steps to Reproduce:
1.Setup users on an LDAP server (Customer: RHEL4 LDAP Server running NSDSv7.1)
2.Reset a user password.
3.Console shows flashing: 
 Change after reset
 Permission Denied

Actual results:
Impossible to login.

Expected results:
User should be forced to change its password.


Additional info:
The customer has also opened a bugzilla with PADL Software.
More data from their report :

From /var/log/messages:

Jun 16 10:39:27 lulu gpm[2258]: *** info [mice.c(1766)]:
Jun 16 10:39:27 lulu gpm[2258]: imps2: Auto-detected intellimouse PS/2
Jun 16 10:39:35 lulu unix_chkpwd[28399]: check pass; user unknown
Jun 16 10:39:35 lulu login(pam_unix)[28263]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=tfalgout
Jun 16 10:39:35 lulu unix_chkpwd[28400]: could not get username from shadow
(tfalgout))
Jun 16 10:39:35 lulu login[28263]: Permission denied
Jun 16 10:39:35 lulu init: open(/dev/pts/0): No such file or directory
Nothing logged to /var/log/secure

The login pam module:

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
The system-auth pam module (created by authconfig):


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
Comment 1 Jose Plans 2006-04-29 13:01:34 UTC 
Created attachment 128389 [details]
Fix force change password after reset
Comment 6 RHEL Program Management 2006-08-18 16:03:15 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 21 Red Hat Bugzilla 2007-05-01 17:31:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0267.html