URL: https://github.com/SSSD/sssd/pull/305 Title: #305: krb5: use plain principal if password is expired
fidencio commented: """ Patch looks good and the following test has been manually done:
Preparation:
On client side: - Add 'krb5_use_enterprise_principal = True' to the domain's section - Restart SSSD
On server side: - Reset a user password (which makes the password expired)
Without Sumit's patch: ``` [ffidenci@client ~]$ ssh -l bob@sc.ff localhost Password: Password: Password: bob@sc.ff@localhost's password: Permission denied, please try again. bob@sc.ff@localhost's password: Permission denied, please try again. bob@sc.ff@localhost's password: Received disconnect from UNKNOWN port 65535:2: Too many authentication failures ```
With Sumit's patch: ``` [ffidenci@client ~]$ ssh -l bob@sc.ff localhost Password: Password: Password expired. Change your password now. Current Password: New password: Retype new password: Last failed login: Wed Jun 14 14:38:15 CEST 2017 from ::1 on ssh:notty There were 13 failed login attempts since the last successful login. Last login: Wed Jun 14 14:32:48 2017 from ::1 Could not chdir to home directory /home/bob: No such file or directory -sh-4.4$ ```
ACK! """
See the full comment at https://github.com/SSSD/sssd/pull/305#issuecomment-308419719
sssd-devel@lists.fedorahosted.org