Dear Lukas,
In this case it's ssh. I just tried it using su - and it worked as expected.
- Seth
>>> su - worked
$ su - test-user
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
>>>>>>>>>>>>>>>> pam section of auth people for ssh that did not prompt
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler]
[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler]
[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people]
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data
[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED
[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people
[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user
[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser:
[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.***
[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189
[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people]
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler]
[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler]
[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people]
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data
[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people
[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user
[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser:
[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.***
[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189
[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people]
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler]
[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler]
[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people]
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data
[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED
[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people
[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user
[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser:
[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.***
[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27192
[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people]
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so