On (29/01/16 18:48), Jakub Hrozek wrote: >On Fri, Jan 29, 2016 at 03:22:23PM +0100, Lukas Slebodnik wrote: >> On (14/01/16 18:38), Jakub Hrozek wrote: >> >On Thu, Jan 14, 2016 at 12:09:12PM -0500, Simo Sorce wrote: >> >> > OK to push now? >> >> >> >> Yes please :-) >> >> >> >> Simo >> > >> >* master: 19e44537c28f6d5f011cd7ac885c74c1e892605f >> I have a question about this patch. >> >> I can see some inconsistencies for expired/disabled user. >> >> Here is a LDIF for expiration of user >> dn: cn=$username,$ou,$basedn >> changetype: modify >> replace: accountExpires >> accountExpires: 129465018000000000 >> >> and for disabling user >> dn: cn=$username,$ou,$basedn >> changetype: modify >> replace: userAccountControl >> userAccountControl: 514 >> >> >> There are test with ssh + password (pam auth) >> and ssh + key (pam pam account) > >I will try to take a look when I work on >https://fedorahosted.org/sssd/ticket/2927 (unless you just started on >that ticket and this is how you found out..in that case self-assign the >ticket, please.. At any rate, thanks for the heads up.) > NO, It was pure AD testing of sssd master.
>> >> and here is current state with master. >> -------------------------------------- >> disabled AD user >> pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission >> denied) >> >> pam_sss(sshd:account): system info: [The user account is disabled on the >> AD server] >> pam_sss(sshd:account): Access denied for user testuser01-17923: 6 >> (Permission denied) >> >> expired AD user >> pam_sss(sshd:auth): received for user testuser01-17923: 6 (Permission >> denied) >> >> pam_sss(sshd:account): system info: [The user account is expired on the AD >> server] >> pam_sss(sshd:account): Access denied for user testuser01-17923: 13 (User >> account has expired) >> >> >> Previously, we could see info "User account has expired" >> even in auth phase. And it's unusual that auth and account returned different >> error codes. > >I think the difference is because the auth phase converts the error PAM code >from Kerberos error code, while the account phase looks at the >adUserAccountControl sysdb attribute. Chances are we need to take a look >if our handling of the attribute values is correct. > >> >> I think that this patch fixed "auth" PAM error code for disabled user >> but it broke for expired user or did I miss something? > >I think those should be completely independent, the AD provider should >read the info in sdap_account_expired_ad(). But this is based just on >reading the code, I haven't actually done any tests. previously we return pam error code 13 for disabled AD user (sshd:auth) expired AD user (sshd:auth) expired AD user (sshd:account) and with current master we return 13 only for expired AD user (sshd:account) So my assumption is that we should return *6* for disabled AD user (sshd:auth) disabled AD user (sshd:account) and return *13* for expired AD user (sshd:auth) expired AD user (sshd:account) If I'm wrong please correct me. LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
