Bug 875677 - password expiry warning message doesn't appear during auth
Summary: password expiry warning message doesn't appear during auth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 886216
TreeView+ depends on / blocked
 
Reported: 2012-11-12 10:57 UTC by Kaushik Banerjee
Modified: 2020-05-02 17:05 UTC (History)
5 users (show)

Fixed In Version: sssd-1.9.2-34.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:40:02 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2680 None None None 2020-05-02 17:05:47 UTC
Red Hat Product Errata RHSA-2013:0508 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Kaushik Banerjee 2012-11-12 10:57:34 UTC 
Description of problem:
password expiry warning message doesn't appear during auth

Version-Release number of selected component (if applicable):
1.9.2-7

How reproducible:
Always

Steps to Reproduce:
1. Enable password expired warning interval on the 389-ds server as:
    dn: cn=config
    changetype: modify
    add: passwordExp
    passwordExp: on
    -
    add: passwordMaxAge
    passwordMaxAge: 86400
    -
    add: passwordWarning
    passwordWarning: 86400

2. Change the user's password once:
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Mon Nov 12 13:38:30 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
-sh-4.1$ logout

3. Try to auth with the changed password:
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Mon Nov 12 16:22:24 2012 from localhost
-sh-4.1$ 

  
Actual results:
Password Expiry warning message doesn't appear during auth

Expected results:
Password expiry warning message should appear during auth.

Additional info:
/var/log/sssd/sssd_LDAP.log shows:
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x1000): Password Policy Response: expire [86400] grace [-1] error [No error].
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x1000): Password will expire in [86400] seconds.
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x2000): Server returned control [2.16.840.1.113730.3.4.5].
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x1000): Password will expire in [86400] seconds.
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
(Sun Nov 11 22:37:20 2012) [sssd[be[LDAP]]] [auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active.

/var/log/secure shows:
Nov 11 22:37:20 dhcp201-200 sshd[29978]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=puser1
Nov 11 22:37:20 dhcp201-200 sshd[29978]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=puser1
Nov 11 22:37:20 dhcp201-200 sshd[29978]: Accepted password for puser1 from ::1 port 35159 ssh2
Nov 11 22:37:21 dhcp201-200 sshd[29978]: pam_unix(sshd:session): session opened for user puser1 by (uid=0)
Comment 2 Pavel Březina 2012-11-12 13:57:53 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1638
Comment 5 Kaushik Banerjee 2012-12-12 06:52:20 UTC 
Verified in version 1.9.2-37.el6

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: password-policy_001: passwordMaxAge=24 hours
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:59:50] ::  Sleeping for 5 seconds
:: [   PASS   ] :: Running 'chmod +x /tmp/tmp.imoZgZR0da/ssh.sh'
spawn ssh -o StrictHostKeyChecking=no ppuser1@localhost
ppuser1@localhost's password: 
Your password will expire in 1 day(s).
Creating directory '/home/ppuser1'.
[ppuser1@hp-dl360gen8-01 ~]$ 
:: [   PASS   ] :: Running '/tmp/tmp.imoZgZR0da/ssh.sh'
:: [   PASS   ] :: File '/var/log/secure' should contain 'Your password will expire in '
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Server returned control \[1.3.6.1.4.1.42.2.27.8.5.1\]'
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Password will expire in \[86'
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should not contain 'Server does not support the requested control \[1.3.6.1.4.1.42.2.27.8.5.1\]'
password-policy-001 result: PASS
Comment 6 errata-xmlrpc 2013-02-21 09:40:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.