Hi,
I added:
pwd_expiration_warning=14 to domain section
and to pam section:
pam_pwd_expiration_warning=14
but still no warning at all.
-----
Best regards,
Pawel
pt., 12 lut 2021 o 09:39 Sumit Bose <sbose(a)redhat.com> napisał(a):
On Thu, Feb 11, 2021 at 06:47:46PM +0100, Paweł Szafer wrote:
> Hi,
> I want to warn users when password expiration days are less than 14 days.
>
> I have GPO Default domain policy with this number of days.
> I have sssd.conf as:
Hi,
although you define the password policy in AD with GPOs SSSD is using
the information received during Kerberos authentication but by default
it is not displayed.
Please try to set
pam_pwd_expiration_warning = 14
in the [pam] section of sssd.conf and restart SSSD, see man sssd.conf
for details.
HTH
bye,
Sumit
>
> [sssd]
> domains = internal.domain.tld
> config_file_version = 2
> services = nss, pam
>
> [domain/internal.domain.tld]
> cache_credentials = True
> debug_level = 6
> id_provider = ad
> auth_provider = ad
> access_provider = ad
>
> default_shell = /bin/bash
> fallback_homedir = /home/%d/%u
> ldap_id_mapping = True
> ldap_schema = ad
> enumerate = True
> ad_site=internal1
>
> ad_gpo_access_control = permissive
>
> ad_gpo_ignore_unreadable = True
>
> And pam.d as follow:
>
> #%PAM-1.0
>
> auth sufficient pam_sss.so forward_pass
> auth required pam_unix.so try_first_pass nullok
> auth optional pam_permit.so
> auth required pam_env.so
> #auth requisite pam_deny.so
>
> account required pam_unix.so
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account optional pam_permit.so
> account required pam_time.so
>
> password required pam_unix.so try_first_pass nullok sha512 shadow
> password sufficient pam_sss.so
> use_authok
> password optional pam_permit.so
>
> session required pam_mkhomedir.so
> skel=/etc/skel/ umask=0022
> session required pam_limits.so
> session required pam_unix.so
> session optional pam_sss.so
> session optional pam_permit.so
>
>
> User has password valid till 20.02.2020 and yet I don't have any warning.
> I had to add ad_gpo_ignore_unreadable = True and ad_gpo_access_control =
> permissive to my config because without it I end up with "System error"
> during login and unsuccessful login.
>
> In gpo_cache I see Machine gpo with lines:
>
> [Registry Values]
> MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
>
> Any idea how to turn on this warning?
>
> Thanks for your help!
> -----
> Best regards,
> Pawel
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure