On (14/01/16 18:38), Jakub Hrozek wrote:
On Thu, Jan 14, 2016 at 12:09:12PM -0500, Simo Sorce wrote:
> > OK to push now?
>
> Yes please :-)
>
> Simo
* master: 19e44537c28f6d5f011cd7ac885c74c1e892605f
I have a question about this
patch.
I can see some inconsistencies for expired/disabled user.
Here is a LDIF for expiration of user
dn: cn=$username,$ou,$basedn
changetype: modify
replace: accountExpires
accountExpires: 129465018000000000
and for disabling user
dn: cn=$username,$ou,$basedn
changetype: modify
replace: userAccountControl
userAccountControl: 514
There are test with ssh + password (pam auth)
and ssh + key (pam pam account)
and here is current state with master.
--------------------------------------
disabled AD user
pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission denied)
pam_sss(sshd:account): system info: [The user account is disabled on the AD server]
pam_sss(sshd:account): Access denied for user testuser01-17923: 6 (Permission denied)
expired AD user
pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission denied)
pam_sss(sshd:account): system info: [The user account is expired on the AD server]
pam_sss(sshd:account): Access denied for user testuser01-17923: 13 (User account has
expired)
Previously, we could see info "User account has expired"
even in auth phase. And it's unusual that auth and account returned different
error codes.
I think that this patch fixed "auth" PAM error code for disabled user
but it broke for expired user or did I miss something?
LS