Bug 1887077 - Incorrect password expiry warning
Summary: Incorrect password expiry warning
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-10 16:34 UTC by James
Modified: 2020-11-27 01:11 UTC (History)
16 users (show)

Fixed In Version: pam-1.4.0-6.fc33 pam-1.3.1-28.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-02 01:11:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description James 2020-10-10 16:34:17 UTC 
Description of problem:

These are all Fedora 33 machines set up as IPA clients in a local realm. When I log into the F33 machines I see a message like:

  Warning: your password will expire in 32767 days.

The expiry time isn't always consistent. Simultaneously, on another machine I see

  Warning: your password will expire in 32765 days.

All machines have their clocks synchronised. 

The password actually expires in 21 days. The inconsistency of the reported number, and the fact that the value is always a few short of 2^15, makes me wonder if this message is coming from a faulty printf() formatter somewhere.

I don't see this on the Fedora 32 machines.

Reporting against sssd to kick off investigation; not sure exactly which component is at fault.

Version-Release number of selected component (if applicable):
sssd-2.3.1-4.fc33.x86_64
pam-1.4.0-4.fc33.x86_64
freeipa-client-4.8.10-5.fc33.x86_64
Comment 1 Sumit Bose 2020-10-12 08:16:51 UTC 
Hi,

thanks for the report, can you add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart SSSD, log in again and look for 'exp_time:' in krb5_child.log. This should be the original timestamp in seconds returned by the KDC minus the current time in seconds since UNIX epoch.

bye,
Sumit
Comment 2 James 2020-10-12 10:59:58 UTC 
The only exp_time line I have is:

(2020-10-12 11:57:56): [krb5_child[142069]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [1766686]

One thing I've just noticed is if I su to myself (rather than ssh to localhost), I get 'Warning: your password will expire in 0 days.' -- also not really in the spirit of correctness, since I've since disabled password expiry in my FreeIPA account (stored as a numerically zero-time expiry).
Comment 3 Sumit Bose 2020-10-13 13:18:16 UTC 
Hi,

thanks, so the original expiration time seems to be correct.

What makes me wonder is that the message "Warning: your password will expire in ..." does not match what SSSD's pam_sss would generate, this would look like 'Your password will expire in ...'. A message starting with 'Warning: ...' might be generated by pam_unix. Do you, by chance, have users with the same name in /etc/passwd and matching data in /etc/shadow?

bye,
Sumit
Comment 4 James 2020-10-13 15:22:04 UTC 
The user name concerned isn't present in /etc/passwd or /etc/shadow, it's purely IPA-based.

I also tried clearing out the sssd cache, but the problem remains.

The affected machines were set up as IPA clients by the usual means, by running ipa-client-install --mkhomedir --no-ntp. So this could be a PAM misconfiguration... do you want me to attach /etc/nsswitch.conf or something from /etc/pam.d ?
Comment 5 Sumit Bose 2020-10-14 12:32:23 UTC 
(In reply to James from comment #4)
> The user name concerned isn't present in /etc/passwd or /etc/shadow, it's
> purely IPA-based.
> 
> I also tried clearing out the sssd cache, but the problem remains.
> 
> The affected machines were set up as IPA clients by the usual means, by
> running ipa-client-install --mkhomedir --no-ntp. So this could be a PAM
> misconfiguration... do you want me to attach /etc/nsswitch.conf or something
> from /etc/pam.d ?

Hi,

please check the journal (or /var/log/secure if you use this style of logging) for messages from the time of the authentication. On a tet system I can see messages like:

    Oct 14 12:26:21 f33.rhel75.devel sshd[9844]: pam_unix(sshd:account): password for user testsc1 will expire in 32767 days

or 

    Oct 14 12:20:11 f33.rhel75.devel su[9798]: pam_unix(su:account): password for user testsc1 will expire in 0 days

which are in agreement to your observations but as can be seen really are coming from pam_unix.

I'll change the component to 'pam', Iker, can you have a look, it looks like you really need F33 with pam-1.4.0 to reproduce this.

bye,
Sumit
Comment 6 Iker Pedrosa 2020-10-14 15:29:34 UTC 
The problem was already fixed by Tomas Mraz upstream and it only applies to pam-1.4.0 release. I'll port it downstream in the following days. By the way, it wasn't a format printing error but an uninitialized variable.
Comment 7 Iker Pedrosa 2020-10-14 15:30:15 UTC 
* master:
    db6b293046aee4735f3aa2d1713742ed4b533219 - Fix missing initialization of daysleft
Comment 8 James 2020-10-14 15:34:47 UTC 
(In reply to Iker Pedrosa from comment #6)
> The problem was already fixed by Tomas Mraz upstream and it only applies to
> pam-1.4.0 release. I'll port it downstream in the following days. By the
> way, it wasn't a format printing error but an uninitialized variable.

Thanks! Stack garbage would've been by second guess ;)
Comment 9 2013temp2013temp 2020-10-29 19:15:46 UTC 
Hi,

When will it be in the update repository? We are waiting for it.

Thank you
Comment 10 James 2020-10-29 19:38:37 UTC 
(In reply to 2013temp2013temp from comment #9)
> Hi,
> 
> When will it be in the update repository? We are waiting for it.
> 
> Thank you

The fix is in pam-1.4.0-6.fc34 which is in Koji. An fc33 build should be there soon, but you can build from the same SRPM.
Comment 11 2013temp2013temp 2020-10-29 21:51:51 UTC 
Hi,

I know NIS/YP is old stuff but we had many releases in a row, including fedora 33 which prevents users from logging till patches are released or switching between nscd and sssd etc...

I would really appreciate one test on NIS logging before releasing a new fedora.

Please
Comment 12 Fedora Update System 2020-10-30 12:00:17 UTC 
FEDORA-2020-cdf799e9ec has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-cdf799e9ec
Comment 13 Fedora Update System 2020-10-31 02:55:01 UTC 
FEDORA-2020-cdf799e9ec has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-cdf799e9ec`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-cdf799e9ec

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 2013temp2013temp 2020-10-31 13:55:49 UTC 
ok took it from testing repository
works fine
thanks
Comment 15 Fedora Update System 2020-11-02 01:11:02 UTC 
FEDORA-2020-cdf799e9ec has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 16 Fedora Update System 2020-11-11 09:17:05 UTC 
FEDORA-2020-543e7c2021 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-543e7c2021
Comment 17 Fedora Update System 2020-11-12 04:42:46 UTC 
FEDORA-2020-543e7c2021 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-543e7c2021`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-543e7c2021

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 18 Fedora Update System 2020-11-27 01:11:12 UTC 
FEDORA-2020-543e7c2021 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.