I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac.
#%PAM-1.0 # pam_succeed_if.so in auth MUST be sufficient # pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAP
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account sufficient pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-5454 F: 212-746-8690
On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (25/08/16 20:44), xcorvis@gmail.com wrote:
I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu
12.04. I've got ppolicy working fine, for the most part, but I'm trying to set pwdReset: TRUE in LDAP to force users to change passwords and it's not having any effect. I have pwdMustChange: TRUE in the default password policy, and password prompts for expired passwords works, so I know it's not grossly misconfigured or something.
I've spent a few days looking into this and from other posts and blogs it
sounds like pwdReset can be handled by sssd and is somehow enforced by pam, but I'm not seeing any error messages about pam or password resets (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically wondering what are the requirements to get pwdReset functioning with sssd?
Ubuntu 12.04 seems to have sssd 1.8.2 The ppa[2] seems to have 1.11.5
It would be good to test with more recent version of sssd. You can try sssd in 16.04.
I can confirm that "pwdReset: TRUE" works with latest sssd 1.13 which is in xenial(16.04)
LS
[1] https://urldefense.proofpoint.com/v2/url?u=http-3A__ packages.ubuntu.com_search-3Fkeywords-3Dsssd-26searchon- 3Dnames-26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c= lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e= [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__ launchpad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c= lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e= _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. fedorahosted.org_admin_lists_sssd-2Dusers-40lists. fedorahosted.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9- RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= Ik1cAF4mlAZIwL7EXJakHVYvpY3FXgdmwJFM3W4qNp4&e=
Please ignore my previous email as this is insecure:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass
One does not simply have pam_unix as sufficient and expect to not get hacked
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-5454 F: 212-746-8690
On Thu, Aug 25, 2016 at 5:27 PM, Douglas Duckworth dod2014@med.cornell.edu wrote:
I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac.
#%PAM-1.0 # pam_succeed_if.so in auth MUST be sufficient # pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAP
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account sufficient pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-5454 F: 212-746-8690
On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (25/08/16 20:44), xcorvis@gmail.com wrote:
I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu
12.04. I've got ppolicy working fine, for the most part, but I'm trying to set pwdReset: TRUE in LDAP to force users to change passwords and it's not having any effect. I have pwdMustChange: TRUE in the default password policy, and password prompts for expired passwords works, so I know it's not grossly misconfigured or something.
I've spent a few days looking into this and from other posts and blogs
it sounds like pwdReset can be handled by sssd and is somehow enforced by pam, but I'm not seeing any error messages about pam or password resets (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically wondering what are the requirements to get pwdReset functioning with sssd?
Ubuntu 12.04 seems to have sssd 1.8.2 The ppa[2] seems to have 1.11.5
It would be good to test with more recent version of sssd. You can try sssd in 16.04.
I can confirm that "pwdReset: TRUE" works with latest sssd 1.13 which is in xenial(16.04)
LS
[1] https://urldefense.proofpoint.com/v2/url?u=http-3A__packages .ubuntu.com_search-3Fkeywords-3Dsssd-26searchon-3Dnames- 26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c=lb62iw4YL4RFa lcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUj nRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f8 7I&s=N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e= [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__launchp ad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c=lb62 iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_ e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Q y72hsJc4f87I&s=Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e= _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.f edorahosted.org_admin_lists_sssd-2Dusers-40lists.fedorahoste d.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s &r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDum y2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=Ik1cAF4mlAZIwL7EXJakHVYvp Y3FXgdmwJFM3W4qNp4&e=
On (16/09/16 14:55), Douglas Duckworth wrote:
Please ignore my previous email as this is insecure:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass
One does not simply have pam_unix as sufficient and expect to not get hacked
The problem is not with "pam_unix as sufficient" bug is that last entry for auth is no "pam_deny.so" e.g. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
LS
sssd-users@lists.fedorahosted.org
-
Douglas Duckworth -
Lukas Slebodnik