Bug 1733289 - Password expiry notifications to AD clients no longer work due to regression from fix for bug 1385665
Summary: Password expiry notifications to AD clients no longer work due to regression ...
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.6
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: sssd-qe
Depends On: 1805628
TreeView+ depends on / blocked
Reported: 2019-07-25 15:37 UTC by afox@redhat.com
Modified: 2020-02-21 08:35 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1805628 (view as bug list)
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description afox@redhat.com 2019-07-25 15:37:41 UTC
Description of problem:
Password expiry notifications to AD clients with SSSD no longer work due to regression from fix for bug 1385665.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1) Configure sssd to use auth_provider=krb5 or ad.
2) Configure short password expiry for user in AD. 

Actual results:
No expiry message is sent to any client e.g. gnome, ssh etc. 

Expected results:
Expiry message should be seen.

Comment 3 Jakub Hrozek 2019-07-26 15:07:09 UTC
My first suggestion would be to not use the private version of krb5_get_init_creds_password() even if it means regressing the other bug.

Looking at how libkrb5 implements the password expiration, we'd need to inspect the AS reply and the only API that libkrb5 publicly makes available that returns struct krb5_kdc_rep is marked as deprecated. So reimplementing the functionality looks non-trivial. But moreover, I'm worried that we would be constantly missing some fixes or changes to the recommended krb5_get_init_creds_password..

Comment 4 Jakub Hrozek 2019-08-07 19:57:35 UTC
To capture the discussion we had last week on our team meeting:
 - we would ask MIT to provide an API to access the needed data
 - in the meantime, we could suggest using auth_provider=krb5. This should have no functional regression compared with auth_provider=ad as long as the following two options are set:
   - krb5_validate = true
   - krb5_use_enterprise_principal = true

Note You need to log in before you can comment on or make changes to this bug.