I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac.
#%PAM-1.0 # pam_succeed_if.so in auth MUST be sufficient # pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAP
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account sufficient pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-5454 F: 212-746-8690
On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (25/08/16 20:44), xcorvis@gmail.com wrote:
I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu
12.04. I've got ppolicy working fine, for the most part, but I'm trying to set pwdReset: TRUE in LDAP to force users to change passwords and it's not having any effect. I have pwdMustChange: TRUE in the default password policy, and password prompts for expired passwords works, so I know it's not grossly misconfigured or something.
I've spent a few days looking into this and from other posts and blogs it
sounds like pwdReset can be handled by sssd and is somehow enforced by pam, but I'm not seeing any error messages about pam or password resets (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically wondering what are the requirements to get pwdReset functioning with sssd?
Ubuntu 12.04 seems to have sssd 1.8.2 The ppa[2] seems to have 1.11.5
It would be good to test with more recent version of sssd. You can try sssd in 16.04.
I can confirm that "pwdReset: TRUE" works with latest sssd 1.13 which is in xenial(16.04)
LS
[1] https://urldefense.proofpoint.com/v2/url?u=http-3A__ packages.ubuntu.com_search-3Fkeywords-3Dsssd-26searchon- 3Dnames-26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c= lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e= [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__ launchpad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c= lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e= _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. fedorahosted.org_admin_lists_sssd-2Dusers-40lists. fedorahosted.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9- RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= Ik1cAF4mlAZIwL7EXJakHVYvpY3FXgdmwJFM3W4qNp4&e=