Bug 875677 - password expiry warning message doesn't appear during auth
password expiry warning message doesn't appear during auth
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
: Regression
Depends On:
Blocks: 886216
  Show dependency treegraph
 
Reported: 2012-11-12 05:57 EST by Kaushik Banerjee
Modified: 2013-02-21 04:40 EST (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.9.2-34.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:40:02 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kaushik Banerjee 2012-11-12 05:57:34 EST
Description of problem:
password expiry warning message doesn't appear during auth

Version-Release number of selected component (if applicable):
1.9.2-7

How reproducible:
Always

Steps to Reproduce:
1. Enable password expired warning interval on the 389-ds server as:
    dn: cn=config
    changetype: modify
    add: passwordExp
    passwordExp: on
    -
    add: passwordMaxAge
    passwordMaxAge: 86400
    -
    add: passwordWarning
    passwordWarning: 86400

2. Change the user's password once:
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Mon Nov 12 13:38:30 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
-sh-4.1$ logout

3. Try to auth with the changed password:
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Mon Nov 12 16:22:24 2012 from localhost
-sh-4.1$ 

  
Actual results:
Password Expiry warning message doesn't appear during auth

Expected results:
Password expiry warning message should appear during auth.

Additional info:
/var/log/sssd/sssd_LDAP.log shows:
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x1000): Password Policy Response: expire [86400] grace [-1] error [No error].
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x1000): Password will expire in [86400] seconds.
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x2000): Server returned control [2.16.840.1.113730.3.4.5].
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x1000): Password will expire in [86400] seconds.
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active.

/var/log/secure shows:
Nov 11 22:37:20 dhcp201-200 sshd[29978]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=puser1
Nov 11 22:37:20 dhcp201-200 sshd[29978]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=puser1
Nov 11 22:37:20 dhcp201-200 sshd[29978]: Accepted password for puser1 from ::1 port 35159 ssh2
Nov 11 22:37:21 dhcp201-200 sshd[29978]: pam_unix(sshd:session): session opened for user puser1 by (uid=0)
Comment 2 Pavel Březina 2012-11-12 08:57:53 EST
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1638
Comment 5 Kaushik Banerjee 2012-12-12 01:52:20 EST
Verified in version 1.9.2-37.el6

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: password-policy_001: passwordMaxAge=24 hours
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:59:50] ::  Sleeping for 5 seconds
:: [   PASS   ] :: Running 'chmod +x /tmp/tmp.imoZgZR0da/ssh.sh'
spawn ssh -o StrictHostKeyChecking=no ppuser1@localhost
ppuser1@localhost's password: 
Your password will expire in 1 day(s).
Creating directory '/home/ppuser1'.
[ppuser1@hp-dl360gen8-01 ~]$ 
:: [   PASS   ] :: Running '/tmp/tmp.imoZgZR0da/ssh.sh'
:: [   PASS   ] :: File '/var/log/secure' should contain 'Your password will expire in '
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Server returned control \[1.3.6.1.4.1.42.2.27.8.5.1\]'
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Password will expire in \[86'
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should not contain 'Server does not support the requested control \[1.3.6.1.4.1.42.2.27.8.5.1\]'
password-policy-001 result: PASS
Comment 6 errata-xmlrpc 2013-02-21 04:40:02 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.