Bug 719107

Summary: Native AD password policy attributes break shadow entries on forced password change, preventing login
Product: Red Hat Enterprise Linux 5 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED CANTFIX QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 5.5CC: benl, cww, dpal, grajaiya, jgalipea, jplans, prc, sgallagh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 694311 Environment:
Last Closed: 2011-09-30 12:22:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 694311    
Bug Blocks: 668957, 719046    

Comment 2 Stephen Gallagher 2011-09-30 12:22:00 UTC 
This is not possible to accomplish, as Active Directory does not properly handle forced password changes through the LDAP protocol. When the password is expired, it disallows LDAP binds by that user, rather than providing a grace period to change the password. As a result, it's impossible to bind for password-change.

Active Directory's forced password change only works properly with Kerberos. Please advise customers that they need to either switch to using Kerberos for authentication or petition Microsoft to have Active Directory provide a password-change grace period.