Hello Jakub,
thanks for helping me out.
It works in the console. when an expired user logs in via ctl-alt-f.... he gets all the warnings. I will try to increase pam verbosity and report back.
Greetings, J.
2018-01-08 14:59 GMT+01:00 Jakub Hrozek jhrozek@redhat.com:
On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote:
Hello All,
I "ve set up a new machine for this test and increased the log levels to
Config for Freeipa-client is done with ipa-client-install, I use chrony
in
stead of ntp and Selinux is enabled.
When user logs in /var/log/secure indicates:
[root@node1 ~]# tail -f /var/log/secure Jan 5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user jvanvlasselaer: 7 (Authentication failure) Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user jvanvlasselaer: 12 (Authentication token is no longer valid; new one required) Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info
message:
Password expired. Change your password now. Jan 5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user "jvanvlasselaer" does not exist in /etc/passwd
But the lightdm gui screen indicates nothing.
(Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [12 (Authenticatietoken is niet langer geldig; nieuwe is vereist)][network.cawdekempen.be] (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [12]: Authenticatietoken is niet langer geldig; nieuwe is vereist. (Fri Jan 5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39
Here I at least see that the message did reach the sssd_pam process and I don't see anything that would indicate that the message was filtered out (OTOH, the debugging is not stellar in this area of code..)
I've never used lightdm, did you maybe test with some other login method, like login to the console or su from another non-root user?
Does it help to increase pam_verbosity in the [pam] section (see man sssd.conf for a description) ?