I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac.#%PAM-1.0# pam_succeed_if.so in auth MUST be sufficient# pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAPauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth sufficient pam_succeed_if.so uid >= 500 quietauth sufficient pam_sss.so use_first_passauth required pam_deny.soaccount required pam_unix.so broken_shadowaccount sufficient pam_localuser.so#account sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_sss.soaccount sufficient pam_sss.soaccount required pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_sss.so use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession sufficient pam_sss.sosession required pam_unix.soThanks,
Douglas Duckworth, MSc, LFCS
HPC System AdministratorPhysiology and BiophysicsWeill Cornell MedicineOn Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik <lslebodn@redhat.com> wrote:On (25/08/16 20:44), xcorvis@gmail.com wrote:
>I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu 12.04. I've got ppolicy working fine, for the most part, but I'm trying to set pwdReset: TRUE in LDAP to force users to change passwords and it's not having any effect. I have pwdMustChange: TRUE in the default password policy, and password prompts for expired passwords works, so I know it's not grossly misconfigured or something.
>
>I've spent a few days looking into this and from other posts and blogs it sounds like pwdReset can be handled by sssd and is somehow enforced by pam, but I'm not seeing any error messages about pam or password resets (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically wondering what are the requirements to get pwdReset functioning with sssd?
>
Ubuntu 12.04 seems to have sssd 1.8.2
The ppa[2] seems to have 1.11.5
It would be good to test with more recent version of sssd.
You can try sssd in 16.04.
I can confirm that "pwdReset: TRUE" works with latest sssd 1.13
which is in xenial(16.04)
LS
[1] https://urldefense.proofpoint.com/v2/url?u=http-3A__packages .ubuntu.com_search-3Fkeywords- 3Dsssd-26searchon-3Dnames- 26suite-3Dprecise-26section- 3Dall&d=DQIGaQ&c=lb62iw4YL4RFa lcE2hQUQealT9-RXrryqt9KZX2qu2s &r=2Fzhh_78OGspKQpl_e-CbhH6xUj nRkaqPFUS2wTJ2cw&m=e5O5zPnwDum y2ONJT4dlFcqr7saa51Qy72hsJc4f8 7I&s=N0Lii3TQAhrxxkHAsA1mnnJH_ nzNooMhVjkJW9AGhio&e=
[2] https://urldefense.proofpoint.com/v2/url?u=https-3A__launchp ad.net_-7Esssd_-2Barchive_ ubuntu_updates&d=DQIGaQ&c=lb62 iw4YL4RFalcE2hQUQealT9-RXrryqt 9KZX2qu2s&r=2Fzhh_78OGspKQpl_ e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e 5O5zPnwDumy2ONJT4dlFcqr7saa51Q y72hsJc4f87I&s=Ql0q2KebQkGKdDX 18BnMX8kAgrDhOP5veCzFmLu1GRg& e=
_______________________________________________ https://urldefense.proofpoint.
sssd-users mailing list
sssd-users@lists.fedorahosted.org
com/v2/url?u=https-3A__lists.f edorahosted.org_admin_lists_ss sd-2Dusers-40lists.fedorahoste d.org&d=DQIGaQ&c=lb62iw4YL4RFa lcE2hQUQealT9-RXrryqt9KZX2qu2s &r=2Fzhh_78OGspKQpl_e-CbhH6xUj nRkaqPFUS2wTJ2cw&m=e5O5zPnwDum y2ONJT4dlFcqr7saa51Qy72hsJc4f8 7I&s=Ik1cAF4mlAZIwL7EXJakHVYvp Y3FXgdmwJFM3W4qNp4&e=