RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1522928 - sssd doesn't allow user with expired password to login when PasswordgraceLimit set
Summary: sssd doesn't allow user with expired password to login when PasswordgraceLimi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.5
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Fabiano Fidêncio
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-06 18:34 UTC by Niranjan Mallapadi Raghavender
Modified: 2020-05-02 18:52 UTC (History)
10 users (show)

Fixed In Version: sssd-1.16.2-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:41:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Attaching sssd-debug logs when sssd was configured with 389-ds-base-1.3.7.5-10.el7 . (1.94 MB, text/plain)
2017-12-06 18:36 UTC, Niranjan Mallapadi Raghavender 		no flags Details
Attaching sssd-debug logs when sssd was configured with 389-ds-base-1.3.6.1-19.el7_4. (2.77 MB, text/plain)
2017-12-06 18:40 UTC, Niranjan Mallapadi Raghavender 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4620 0 None closed sssd doesn't allow user with expired password to login when PasswordgraceLimit set 2020-07-10 06:57:19 UTC
Red Hat Product Errata RHSA-2018:3158 0 None None None 2018-10-30 10:42:21 UTC

Description Niranjan Mallapadi Raghavender 2017-12-06 18:34:44 UTC 
Description of problem:

When a users password is expired and passwordGraceLimit is set to 3 , where user is allowed to login 3 times before passowrd expiry is forced. In earlier versions of 389-ds-base (i.e 389-ds-base-1.3.7.5-4.el7 and above), password expired control was not sent and sssd would allow the expired user to attemp Login till passwordGracelimit is 0 

Following Messages are seen in sssd logs


(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [sdap_process_result] (0x2000): Trace: sh[0x562ee6fec900], connected[1], ops[0x562ee70c15f0], ldap[0x562ee70bf260]
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [4] error [No error].
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done] (0x1000): Password expired. [4] grace logins remaining.
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active.


After updating to 389-ds to 389-ds-base-1.3.7.5-10.el7 , now expired users with Grace period sent, 389-ds now sends the password expired control , causing sssd to not allow the user to login even though the GraceLimit is set and user is allowed to make certain number of login attempts till GraceLimit expires. (0)

Version-Release number of selected component (if applicable):

sssd-1.16.0-9.el7.x86_64
389-ds-base-1.3.7.5-10.el7 


How reproducible:


Steps to Reproduce:
1.Configure sssd to authenticate to ldap server 
[sssd]
domains = EXAMPLE.TEST
config_file_version = 2
services = nss, pam, ifp

[domain/EXAMPLE.TEST]
enumerate = false
id_provider = ldap
ldap_uri = ldap://vm-idm-033.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
auth_provider = ldap

[nss]
debug_level = 9

[pam]
debug_level = 9
offline_credentials_expiration = 0



2. Create a foo1 user on 389-ds 

3. Set password policy with passwordMaxAge=1, passwordExp=on, and passwordGracelimit=3 

4. Login as foo1 user , 

Actual results:

user will be prompted to immediately change password 
[root@vm-idm-033 ~]# ssh -o StrictHostKeyChecking=no -l foo1 localhost
foo1@localhost's password:
Password expired. Change your password now.
Last login: Wed Dec  6 22:02:57 2017 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user foo1.
Current Password:


Expected results:

User should not be prompted for password change till gracelimit doesn't expire (or becomes 0). 



Additional info:
Comment 2 Niranjan Mallapadi Raghavender 2017-12-06 18:36:39 UTC 
Created attachment 1363861 [details]
Attaching sssd-debug logs when sssd was configured with 389-ds-base-1.3.7.5-10.el7 .
Comment 3 Niranjan Mallapadi Raghavender 2017-12-06 18:40:40 UTC 
Created attachment 1363862 [details]
Attaching sssd-debug logs when sssd was configured with 389-ds-base-1.3.6.1-19.el7_4.
Comment 4 Niranjan Mallapadi Raghavender 2017-12-06 18:42:08 UTC 
Refer:https://bugzilla.redhat.com/show_bug.cgi?id=1464505 where this change was introduced in 389-ds
Comment 5 Niranjan Mallapadi Raghavender 2017-12-06 18:45:14 UTC 
In my first comment i mentioned 

 In earlier versions of 389-ds-base (i.e 389-ds-base-1.3.7.5-4.el7 and above), password expired control was not sent and sssd would allow the expired user to attemp Login till passwordGracelimit is 0 

By earlier vesion i meant 389-ds-base-1.3.6.1-19 and earlier, (not 389-ds-base-1.3.7.5-4.el7 ), Sorry for typo
Comment 6 Jakub Hrozek 2017-12-07 16:43:57 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3597
Comment 12 Jakub Hrozek 2018-07-26 09:32:05 UTC 
* master: 954bf82b60b7cfd93b865a6618f155d042b15729
Comment 16 Niranjan Mallapadi Raghavender 2018-08-03 10:34:05 UTC 
Versions:

sssd-winbind-idmap-1.16.2-7.el7.x86_64
sssd-client-1.16.2-11.el7.x86_64
sssd-common-1.16.2-11.el7.x86_64
sssd-ipa-1.16.2-11.el7.x86_64
sssd-dbus-1.16.2-11.el7.x86_64
sssd-1.16.2-11.el7.x86_64
sssd-libwbclient-1.16.2-7.el7.x86_64
python-sssdconfig-1.16.2-11.el7.noarch
sssd-krb5-common-1.16.2-11.el7.x86_64
sssd-ad-1.16.2-11.el7.x86_64
sssd-ldap-1.16.2-11.el7.x86_64
sssd-proxy-1.16.2-11.el7.x86_64
sssd-tools-1.16.2-11.el7.x86_64
sssd-kcm-1.16.2-11.el7.x86_64
sssd-common-pac-1.16.2-11.el7.x86_64
sssd-krb5-1.16.2-11.el7.x86_64

Directory Server Version:
389-ds-base-1.3.8.4-9.el7.x86_64

1. Configure Directory server with Global password policies:
passwordMaxAge=1, passwordExp=on, and passwordGracelimit=3 

2. Configure system to authenticate with sssd using ldap provider

# cat /etc/sssd/sssd.conf 
[sssd]
domains = LDAP
config_file_version = 2
services = nss, pam

[domain/LDAP]
enumerate = false
id_provider = ldap
ldap_uri = ldap://host-8-251-85.host.centralci.eng.rdu2.redhat.com
ldap_search_base = dc=example,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
auth_provider = ldap
debug_level = 9

[pam]
debug_level = 9
offline_credentials_expiration = 0


Manual Verification:


[root@host-8-251-85 yum.repos.d]#  ssh -o StrictHostKeyChecking=no -l student3 localhost
student3@localhost's password:
Your password has expired. You have 2 grace login(s) remaining.
Last login: Fri Aug  3 05:19:32 2018 from localhost
Could not chdir to home directory /home/student3: No such file or directory
-bash-4.2$ passwd
Changing password for user student3.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
-bash-4.2$ logout
Connection to localhost closed.
[root@host-8-251-85 yum.repos.d]#  ssh -o StrictHostKeyChecking=no -l student3 localhost
student3@localhost's password:
Your password has expired. You have 2 grace login(s) remaining.
Last login: Fri Aug  3 05:21:12 2018 from localhost
Could not chdir to home directory /home/student3: No such file or directory
-bash-4.2$ logout
Connection to localhost closed.
[root@host-8-251-85 yum.repos.d]#  ssh -o StrictHostKeyChecking=no -l student3 localhost
student3@localhost's password:
Your password has expired. You have 1 grace login(s) remaining.
Last login: Fri Aug  3 05:21:33 2018 from localhost
Could not chdir to home directory /home/student3: No such file or directory
-bash-4.2$ logout
Connection to localhost closed.
[root@host-8-251-85 yum.repos.d]#  ssh -o StrictHostKeyChecking=no -l student3 localhost
student3@localhost's password:
Permission denied, please try again.
student3@localhost's password:
Your password has expired. You have 0 grace login(s) remaining.
Last failed login: Fri Aug  3 05:22:15 EDT 2018 from localhost on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Fri Aug  3 05:21:59 2018 from localhost
Could not chdir to home directory /home/student3: No such file or directory
-bash-4.2$ logout
Connection to localhost closed.
[root@host-8-251-85 yum.repos.d]#  ssh -o StrictHostKeyChecking=no -l student3 localhost
student3@localhost's password:
Password expired. Change your password now.
Last login: Fri Aug  3 05:22:18 2018 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user student3.
Current Password: Write failed: Broken pipe

Automated Verification through CI. 

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 ::   Display last grace login bz954323
 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 modifying entry "cn=config"
 spawn ssh -o StrictHostKeyChecking=no -l ppuser1 localhost
 ppuser1@localhost's password:  
 Your password has expired. You have 2 grace login(s) remaining.
 Last login: Thu Aug  2 14:02:14 2018 from localhost
 Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/sssd-rhel-7.6-candidate-runtest-ldap-provider-ldap_id_ldap_auth/32/
 Could not chdir to home directory /home/ppuser1: No such file or directory
 /usr/bin/id: cannot find name for group ID 23579
 -bash-4.2$ 
 :: [ 14:02:18 ] :: [   PASS   ] :: File '/var/log/secure' should contain 'You have 2 grace login(s) remaining' 
 spawn ssh -o StrictHostKeyChecking=no -l ppuser1 localhost
 ppuser1@localhost's password:  
 Your password has expired. You have 1 grace login(s) remaining.
 Last login: Thu Aug  2 14:02:18 2018 from localhost
 Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/sssd-rhel-7.6-candidate-runtest-ldap-provider-ldap_id_ldap_auth/32/
 Could not chdir to home directory /home/ppuser1: No such file or directory
 /usr/bin/id: cannot find name for group ID 23579
 -bash-4.2$ 
 :: [ 14:02:18 ] :: [   PASS   ] :: File '/var/log/secure' should contain 'You have 1 grace login(s) remaining' 
 spawn ssh -o StrictHostKeyChecking=no -l ppuser1 localhost
 ppuser1@localhost's password:  
 Your password has expired. You have 0 grace login(s) remaining.
 Last login: Thu Aug  2 14:02:18 2018 from localhost
 Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/sssd-rhel-7.6-candidate-runtest-ldap-provider-ldap_id_ldap_auth/32/
 Could not chdir to home directory /home/ppuser1: No such file or directory
 /usr/bin/id: cannot find name for group ID 23579
 -bash-4.2$ 
 :: [ 14:02:18 ] :: [   PASS   ] :: File '/var/log/secure' should contain 'You have 0 grace login(s) remaining'
Comment 18 errata-xmlrpc 2018-10-30 10:41:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158
Note You need to log in before you can comment on or make changes to this bug.