Hi,
I want to warn users when password expiration days are less than 14 days.
I have GPO Default domain policy with this number of days.
I have sssd.conf as:
[sssd]
domains = internal.domain.tld
config_file_version = 2
services = nss, pam
[domain/internal.domain.tld]
cache_credentials = True
debug_level = 6
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
ldap_id_mapping = True
ldap_schema = ad
enumerate = True
ad_site=internal1
ad_gpo_access_control = permissive
ad_gpo_ignore_unreadable = True
And pam.d as follow:
#%PAM-1.0
auth sufficient pam_sss.so forward_pass
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
#auth requisite pam_deny.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_sss.so
use_authok
password optional pam_permit.so
session required pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_permit.so
User has password valid till 20.02.2020 and yet I don't have any warning.
I had to add ad_gpo_ignore_unreadable = True and ad_gpo_access_control =
permissive to my config because without it I end up with "System error"
during login and unsuccessful login.
In gpo_cache I see Machine gpo with lines:
[Registry Values]
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
Any idea how to turn on this warning?
Thanks for your help!
-----
Best regards,
Pawel