I cannot find solutions in documentation or by trying. I am stuck and need help.
The environment: Fedora Workstation 38 notebook has been joined with "realm join" (sssd-ad) to Microsoft Active Directory (ADDS). The user account details are stored for offline login support. The notebook is used outside of ADDS network and does not have a connection to it.
Commands run on notebook: $ rpm -q sssd sssd-ad sssd-2.9.4-1.fc38.x86_64 sssd-ac-2.9.4-1.fc38.x86_64
$ authselect current Profile ID: sssd Enabled features: - with-mkhomedir - with-ecryptfs - with-mdns4
The problem: Password changes, expiration date changes and account status changes (disable/enable) in ADDS are not propagated to notebook. Depending on situation: - user can still log in to notebook, even when password was set to expired or account to disabled - user cannot log in to notebook anymore, because notebook is not aware of new password expiration date - after password change the old password must be used to log in to the notebook
Workaround: User brings notebook to ADDS network and connects notebook with network cable. User logs in to notebook once. User disconnects and leaves. The workaround is sometimes not possible.
My questions: 1) Which command can read the ADDS account's expiration date from SSSD's cache? Does the command return status of account, i.e. disabled or enabled, too?
## for an account that has its expiration date in the far future and the account can log in to the notebook "sssctl" prints (NAME and TIMESTAMP are redacted values): $ sudo sssctl user-show NAME Name: NAME Cache entry creation date: TIMESTAMP Cache entry last update time: TIMESTAMP Cache entry expiration time: Expired Initgroups expiration time: Expired Cache in InfoPipe: No
2) Which command to use in order to force SSSD to forget about a specific user? So the account cannot log in anymore, without connection to ADDS network to refresh data?
I started the notebook and from TTY2 ran as root user (no login as NAME) "sss_cache -u NAME" and "sss_cache -E" (even with "systemctl restart sssd.service"). Afterwards NAME could still log in.
These commands (executed as root) prevented all users from login: # systemctl stop sssd.service; rm -rf /var/lib/sss/db/*; systemctl stop sssd.service
3) How to force retrieval of updated expiration date and/or changed password on command line?
Assuming notebook has connection to ADDS network. Either wireless network connection when on-site. Or remotely with SSH or VPN connection (Root user and/or user connects to SSH gateway (CentOS Stream 9), which might or might not be part of ADDS, but has access to ADDS network). Or user establishes a VPN connection. I do not know if VPN connection can be established from GDM if account is already expired according to SSSD's cache.
Thanks, René