I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac. #%PAM-1.0 # pam_succeed_if.so in auth MUST be sufficient # pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAP auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account sufficient pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-5454 F: 212-746-8690 On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik <lslebodn(a)redhat.com&gt; wrote: > On (25/08/16 20:44), xcorvis(a)gmail.com wrote: > >I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu > 12.04. I've got ppolicy working fine, for the most part, but I'm trying to > set pwdReset: TRUE in LDAP to force users to change passwords and it's not > having any effect. I have pwdMustChange: TRUE in the default password > policy, and password prompts for expired passwords works, so I know it's > not grossly misconfigured or something. > > > >I've spent a few days looking into this and from other posts and blogs > it sounds like pwdReset can be handled by sssd and is somehow enforced by > pam, but I'm not seeing any error messages about pam or password resets > (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically > wondering what are the requirements to get pwdReset functioning with sssd? > > > Ubuntu 12.04 seems to have sssd 1.8.2 > The ppa[2] seems to have 1.11.5 > > It would be good to test with more recent version of sssd. > You can try sssd in 16.04. > > I can confirm that "pwdReset: TRUE" works with latest sssd 1.13 > which is in xenial(16.04) > > LS > > [1] https://urldefense.proofpoint.com/v2/url?u=http-3A__packages > .ubuntu.com_search-3Fkeywords-3Dsssd-26searchon-3Dnames- > 26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c=lb62iw4YL4RFa > lcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUj > nRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f8 > 7I&s=N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e= > [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__launchp > ad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c=lb62 > iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_ > e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Q > y72hsJc4f87I&s=Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e= > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.f > edorahosted.org_admin_lists_sssd-2Dusers-40lists.fedorahoste > d.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s > &r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDum > y2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=Ik1cAF4mlAZIwL7EXJakHVYvp > Y3FXgdmwJFM3W4qNp4&e= >