Hi,

 

I am having some issues trying to configure sssd to print out a message informing a user if their account is locked out. I thought it would be as simple as setting pam_account_locked_message, but I guess not. I suspect this is an sssd issue, but I suppose it could be a PAM issue. Here is what my sssd.conf file looks like:

 

[domain/default]

 

debug_level = 8

cache_credentials = True

ldap_search_base = *************

ldap_user_search_base = *************

ldap_user_name = cn

ldap_group_search_base = **************

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = *****************

ldap_tls_cacert = ********************

ldap_referrals = False

enumerate = False

access_provider = ldap

ldap_access_order = ppolicy

 

[sssd]

services = nss, pam, autofs, ssh

config_file_version = 2

 

domains = default

[nss]

homedir_substring = /home

 

[pam]

pam_verbosity = 3

pam_account_locked_message = "Account locked"

 

[sudo]

 

[autofs]

 

[ssh]

 

[pac]

 

[ifp]

 

And the relevant sections of PAM

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 100 quiet

auth        sufficient    pam_sss.so use_first_pass

auth        required      pam_deny.so

 

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 100 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required      pam_permit.so

 

 

I see the following message in the sssd log with a locked out account logging in:

 

(Thu Mar  1 22:05:23 2018) [sssd[be[default]]] [sdap_op_add] (0x2000): New operation 1 timeout 6

(Thu Mar  1 22:05:23 2018) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1231d90], connected[1], ops[0x1303b50], ldap[0x12d0010]

(Thu Mar  1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].

(Thu Mar  1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [Account Locked].

(Thu Mar  1 22:05:23 2018) [sssd[be[default]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set

 

And this is what showed up in /var/log/secure:

 

Mar  1 22:05:23 adms08 sshd[23044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=********  user=*********

Mar  1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******* user=********

Mar  1 22:05:23 adms08 sshd[23044]: pam_sss(sshd:auth): received for user *********: 7 (Authentication failure)

Mar  1 22:05:25 adms08 sshd[23044]: Failed password for ******* from ********** port 55284 ssh2

 

I feel like this should give something other than the normal failed password message.

 

Any help would be appreciated.

 

Thanks,

Jeff