Description of problem:
Password expiry notifications to AD clients with SSSD no longer work due to regression from fix for bug 1385665.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1) Configure sssd to use auth_provider=krb5 or ad.
2) Configure short password expiry for user in AD.
No expiry message is sent to any client e.g. gnome, ssh etc.
Expiry message should be seen.
My first suggestion would be to not use the private version of krb5_get_init_creds_password() even if it means regressing the other bug.
Looking at how libkrb5 implements the password expiration, we'd need to inspect the AS reply and the only API that libkrb5 publicly makes available that returns struct krb5_kdc_rep is marked as deprecated. So reimplementing the functionality looks non-trivial. But moreover, I'm worried that we would be constantly missing some fixes or changes to the recommended krb5_get_init_creds_password..
To capture the discussion we had last week on our team meeting:
- we would ask MIT to provide an API to access the needed data
- in the meantime, we could suggest using auth_provider=krb5. This should have no functional regression compared with auth_provider=ad as long as the following two options are set:
- krb5_validate = true
- krb5_use_enterprise_principal = true