I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac.

#%PAM-1.0

# pam_succeed_if.so in auth MUST be sufficient

# pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAP

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        sufficient    pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_sss.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

#account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     sufficient    pam_sss.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_sss.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     sufficient    pam_sss.so

session     required      pam_unix.so

Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator

Physiology and Biophysics

Weill Cornell Medicine

E: doug@med.cornell.edu
O: 212-746-5454
F: 212-746-8690

On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik <lslebodn@redhat.com> wrote:

On (25/08/16 20:44), xcorvis@gmail.com wrote:
>I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu 12.04. I've got ppolicy working fine, for the most part, but I'm trying to set pwdReset: TRUE in LDAP to force users to change passwords and it's not having any effect.  I have pwdMustChange: TRUE in the default password policy, and password prompts for expired passwords works, so I know it's not grossly misconfigured or something.
>
>I've spent a few days looking into this and from other posts and blogs it sounds like pwdReset can be handled by sssd and is somehow enforced by pam, but I'm not seeing any error messages about pam or password resets (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically wondering what are the requirements to get pwdReset functioning with sssd?
>
Ubuntu 12.04 seems to have sssd 1.8.2
The ppa[2] seems to have 1.11.5

It would be good to test with more recent version of sssd.
You can try sssd in 16.04.

I can confirm that "pwdReset: TRUE" works with latest sssd 1.13
which is in xenial(16.04)

LS

[1] https://urldefense.proofpoint.com/v2/url?u=http-3A__packages.ubuntu.com_search-3Fkeywords-3Dsssd-26searchon-3Dnames-26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e=
[2] https://urldefense.proofpoint.com/v2/url?u=https-3A__launchpad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e=
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_admin_lists_sssd-2Dusers-40lists.fedorahosted.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=Ik1cAF4mlAZIwL7EXJakHVYvpY3FXgdmwJFM3W4qNp4&e=