SSSD/AD 2008 and Password Change
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm testing sssd in ubuntu 12.04 precise (i understand its still alpha) in preperation for its release soon. I currently have sssd configured for our AD 2008 domain. I can
Log in
Get a tgt
Change Password
But, when I set "change password on next login" within active directory, i got "Invalid password, please try again". Unchecking the box in AD requiring password change, using the same password again I am allowed to login to the account.
I haven't figured out the correct sssd.conf settings to allow me login to an account that is requiring password change. I was hoping to get some help with this
[sssd]
config_file_version = 2
services = nss, pam
domains = DOMAIN
try_inotify = true
debug_level = 10
[nss]
filter_groups = root, jason
filter_users = root, jason
[pam]
[domain/DOMAIN]
min_id = 1000
enumerate = true
id_provider = ldap
auth_provider = krb5
cache_credentials = true
chpass_provider = krb5
ldap_uri = ldap://DOMAIN.com
ldap_search_base = ou=accountsdc=
ldap_schema = rfc2307bis
ldap_user_
ldap_group_
ldap_krb5_
ldap_user_
ldap_user_principal = userPrincipalName
ldap_tls_reqcert = allow
ldap_user_name = sAMAccountName
ldap_user_fullname = sAMAccountName
ldap_krb5_
ldap_force_
ldap_sasl_mech = GSSAPI
ldap_sasl_
ldap_sasl_authid = VUT-PRECISE01$
krb5_server = DOMAIN.com
krb5_realm = DOMAIN.COM
krb5_kpasswd = DOMAIN.com
krb5_ccachedir = /tmp
krb5_ccname_
krb5_keytab = /etc/krb5.keytab
krb5_renewable_
krb5_lifetime = 24h
krb5_renew_interval = 10s
krb5_use_fast = try
Cheers!
Jason
You need to use:
access_provider = ldap expire_ policy = ad
ldap_access_order = expire
ldap_account_
From sssd-ldap(5):
With this option a client side evaluation of access control attributes can be enabled.
Please note that it is always recommended to use server side access control, i.e. the LDAP server should deny
the bind request with a suitable error code even if the password is correct.
The following values are allowed:
shadow: use the value of ldap_user_ shadow_ expire to determine if the account is expired.
ad: use the value of the 32bit field ldap_user_ ad_user_ account_ control and allow access if the second bit is
not set. If the attribute is missing access is granted. Also the expiration time of the account is checked.
rhds, ipa, 389ds: use the value of ldap_ns_ account_ lock to check if access is allowed or not.
nds: the values of ldap_user_ nds_login_ allowed_ time_map, ldap_user_ nds_login_ disabled and
ldap_ user_nds_ login_expiratio n_time are used to check if access is allowed. If both attributes are missing fedorahosted. org/sssd to report any issues.
access is granted.
This is an experimental feature, please use http://
Default: Empty
When using ldap_account_
Default: accountExpires
When using ldap_account_
user account control bit field.
Default: userAccountControl