719107 – Native AD password policy attributes break shadow entries on forced password change, preventing login

Bug 719107 - Native AD password policy attributes break shadow entries on forced password change, preventing login

Summary: Native AD password policy attributes break shadow entries on forced password ...

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	5.5
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	694311
Blocks:	668957 719046
TreeView+	depends on / blocked

Reported:	2011-07-05 19:40 UTC by Dmitri Pal
Modified:	2015-01-04 23:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	694311
Environment:
Last Closed:	2011-09-30 12:22:00 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0164	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2012-02-20 15:06:51 UTC

Comment 2 Stephen Gallagher 2011-09-30 12:22:00 UTC

This is not possible to accomplish, as Active Directory does not properly handle forced password changes through the LDAP protocol. When the password is expired, it disallows LDAP binds by that user, rather than providing a grace period to change the password. As a result, it's impossible to bind for password-change.

Active Directory's forced password change only works properly with Kerberos. Please advise customers that they need to either switch to using Kerberos for authentication or petition Microsoft to have Active Directory provide a password-change grace period.

Note You need to log in before you can comment on or make changes to this bug.