Red Hat Bugzilla – Bug 1111528
Expired shadow policy user(shadowLastChange=0) is not prompted for password change
Last modified: 2015-11-19 16:53:58 EST
This is a regression caused by rewrite of the error codes in 1.10
Here is a test build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7863299 It would be nice if QE could confirm the fix helps.
(In reply to Jakub Hrozek from comment #2) > Here is a test build: > http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7863299 > > It would be nice if QE could confirm the fix helps. Works with the scratch build. User is now prompted for the password change. Thanks Jakub.
(In reply to Kaushik Banerjee from comment #3) > (In reply to Jakub Hrozek from comment #2) > > Here is a test build: > > http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7863299 > > > > It would be nice if QE could confirm the fix helps. > > Works with the scratch build. User is now prompted for the password change. > Thanks Jakub. Thank you very much for testing. I will build an official package once the patch is merged upstream.
Verified with sssd-1.11.6-28.el6 Output from beaker run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: shadow7: Account expired :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: modifying entry "uid=shadowuser1,ou=Users,dc=example,dc=com" Stopping sssd: [ OK ] Starting sssd: [ OK ] spawn ssh -o StrictHostKeyChecking=no -l shadowuser1 localhost shadowuser1@localhost's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user shadowuser1. Current Password: New password: Retype new password: :: [ LOG ] :: Sleeping for 5 seconds :: [ PASS ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Found shadow password expiration attributes' :: [ PASS ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Last change day is not set, new password needed' :: [ PASS ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Initial authentication for change password operation successful' :: [ LOG ] :: Duration: 9s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: shadow7: Account expired
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1375.html
I know that this is closed, but when performing the test above, did the user have a valid SSH key in LDAP? Is the user still prompted for a password change if they do have a valid SSH key? If they are not, this is a deviation from the way that NSCD has always functioned. Thanks, Trevor