Hello Jakub, thanks for helping me out.
It works in the console. when an expired user logs in via ctl-alt-f.... he gets all the warnings. I will try to increase pam verbosity and report back. Greetings, J. 2018-01-08 14:59 GMT+01:00 Jakub Hrozek <[email protected]>: > On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote: > > Hello All, > > > > I "ve set up a new machine for this test and increased the log levels to > 6. > > Config for Freeipa-client is done with ipa-client-install, I use chrony > in > > stead of ntp and Selinux is enabled. > > > > When user logs in /var/log/secure indicates: > > > > [root@node1 ~]# tail -f /var/log/secure > > Jan 5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user > > jvanvlasselaer: 7 (Authentication failure) > > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication > > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer > > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user > > jvanvlasselaer: 12 (Authentication token is no longer valid; new one > > required) > > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info > message: > > Password expired. Change your password now. > > Jan 5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user > > "jvanvlasselaer" does not exist in /etc/passwd > > > > But the lightdm gui screen indicates nothing. > > > > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): > > received: [12 (Authenticatietoken is niet langer geldig; nieuwe is > > vereist)][network.cawdekempen.be] > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply > > called with result [12]: Authenticatietoken is niet langer geldig; nieuwe > > is vereist. > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100): > > [pam_response_filter] not available, not fatal. > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39 > > Here I at least see that the message did reach the sssd_pam process and I > don't see anything that would indicate that the message was filtered out > (OTOH, the debugging is not stellar in this area of code..) > > I've never used lightdm, did you maybe test with some other login > method, like login to the console or su from another non-root user? > > Does it help to increase pam_verbosity in the [pam] section (see man > sssd.conf for a description) ? >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
