On 25/10/16 01:02, Prasun Gera wrote:
I've seen some different behaviour. I've had errors for users (including
the admin user) trying to log in with possibly an expired password. Both
webui and ssh would fail, but kinit would work. I'm not sure if this is
related to the password's expiration or the account's expiration. My
/var/log/secure has messages like "pam_sss(sshd:auth): received for user
uname: 13 (User account has expired)". Is there a setting for default
expiration of user accounts ? I don't remember setting it anywhere.
On Mon, Oct 24, 2016 at 8:13 AM, David Kupka <dku...@redhat.com> wrote:
On 21/10/16 15:17, Brian Candler wrote:
Question: when a password expires, does it remain in a usable state in
the database indefinitely? For example, if someone comes along a year
after their password has expired, can they still login once with that
password?
This is actually what I want, but I just want to confirm there's not
some sort of secondary threshold which means that an expired password is
not usable X days after it has expired. Or, if there is such a
secondary threshold, where I can find it.
The scenario is a RADIUS server for wifi which reads NTLM password
hashes out of the database to authenticate - this continues to work
after expiry. However I want users to be able to do a self-reset later
if and when they want to.
Thanks,
Brian.
Hello Brian!
AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP
and do the validation locally. So FreeIPA has no way to say the password is
expired.
When the user tries to obtain Kerberos ticket he will be forced to change
the password and NTLM hash will be also regenerated.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello Prasun!
If I understood Brian correctly he was asking about expiration of NTLM
password hashes. In his case there is no checking for password or
account expiration. It would need to be done in RADIUS server itself
because RADIUS server just fetches the attributes from LDAP and does
whatever it is programmed to do.
The situation that you're describing looks weird to me. When user's
Kerberos Password expires kinit and WebUI forces password change on next
login attempt. I don't know how ssh client behaves.
When user's Kerberos Principal ("account") expires neither WebUI nor
kinit would allow login or password change. Administrator must prolong
or remove the Kerberos Principal expiration.
By default Kerberos Password expiration is set according relevant to
password policy (global_policy by default) and Kerberos Principal
expiration is not set.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
