I got this working on Centos 6 using the following for password-auth-ac /
system-auth-ac.
#%PAM-1.0
# pam_succeed_if.so in auth MUST be sufficient
# pam_succeed_if.so in account does not currently work with uid under 500
and pwdReset:TRUE in OpenLDAP
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
#account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account sufficient pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-5454
F: 212-746-8690
On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (25/08/16 20:44), xcorvis(a)gmail.com wrote:
>I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu
12.04. I've got ppolicy working fine, for the most part, but I'm trying to
set pwdReset: TRUE in LDAP to force users to change passwords and it's not
having any effect. I have pwdMustChange: TRUE in the default password
policy, and password prompts for expired passwords works, so I know it's
not grossly misconfigured or something.
>
>I've spent a few days looking into this and from other posts and blogs it
sounds like pwdReset can be handled by sssd and is somehow enforced by pam,
but I'm not seeing any error messages about pam or password resets (pam
verbosity 3 and debug_level 9). With the lack of errors, I'm basically
wondering what are the requirements to get pwdReset functioning with sssd?
>
Ubuntu 12.04 seems to have sssd 1.8.2
The ppa[2] seems to have 1.11.5
It would be good to test with more recent version of sssd.
You can try sssd in 16.04.
I can confirm that "pwdReset: TRUE" works with latest sssd 1.13
which is in xenial(16.04)
LS
[1]
https://urldefense.proofpoint.com/v2/url?u=http-3A__
packages.ubuntu.com_search-3Fkeywords-3Dsssd-26searchon-
3Dnames-26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c=
lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-
CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=
N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e=
[2]
https://urldefense.proofpoint.com/v2/url?u=https-3A__
launchpad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c=
lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-
CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=
Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e=
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
fedorahosted.org_admin_lists_sssd-2Dusers-40lists.
fedorahosted.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-
RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=
e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=
Ik1cAF4mlAZIwL7EXJakHVYvpY3FXgdmwJFM3W4qNp4&e=