Hi,
I am having some issues trying to configure sssd to print out a message informing a user if their account is locked out. I thought it would be as simple as setting pam_account_locked_message, but I guess not. I suspect this is an sssd issue, but I suppose it could be a PAM issue. Here is what my sssd.conf file looks like:
[domain/default]
debug_level = 8
cache_credentials = True
ldap_search_base = *************
ldap_user_search_base = *************
ldap_user_name = cn
ldap_group_search_base = **************
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = *****************
ldap_tls_cacert = ********************
ldap_referrals = False
enumerate = False
access_provider = ldap
ldap_access_order = ppolicy
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2
domains = default
[nss]
homedir_substring = /home
[pam]
pam_verbosity = 3
pam_account_locked_message = "Account locked"
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
And the relevant sections of PAM
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 100 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
I see the following message in the sssd log with a locked out account logging in:
(Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New operation 1 timeout 6
(Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1231d90], connected[1], ops[0x1303b50], ldap[0x12d0010]
(Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [Account Locked].
(Thu Mar 1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set
And this is what showed up in /var/log/secure:
Mar 1 22:05:23 adms08 sshd[23044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******** user=*********
Mar 1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******* user=********
Mar 1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): received for user *********: 7 (Authentication failure)
Mar 1 22:05:25 adms08 sshd[23044]: Failed password for ******* from ********** port 55284 ssh2
I feel like this should give something other than the normal failed password message.
Any help would be appreciated.
Thanks,
Jeff
________________________________
This message is intended only for the use of the intended recipient. If you are not an intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error please destroy all copies of this message and its attachments and notify the sender immediately.