We're having users unable to login on some hosts.
The error message in /var/log/secure is:
sshd[29399]: error: PAM: User account has expired for <<username>> from <<ip address>>
The same users can login fine to other hosts, suggesting it's a config or other issue with these specific hosts.
Has anyone seen anything similar?
Am Wed, Apr 27, 2022 at 02:50:42PM -0000 schrieb Ben Aveling via FreeIPA-users:
We're having users unable to login on some hosts.
The error message in /var/log/secure is:
sshd[29399]: error: PAM: User account has expired for <<username>> from <<ip address>>
The same users can login fine to other hosts, suggesting it's a config or other issue with these specific hosts.
Hi,
I would guess that some of the cached user data is not updated because the domain the user is coming from is offline from some reasons. You can check with 'sssctl domain-status domain.name' the status of the domain ('sssctl domain-list' will show a list of all domains). If the domain is offline maybe restarting SSSD might already help. If not please enable debugging by adding 'debug_level = 9' to the [domain/...] section of sssd.conf, restart SSSD, try to login again and then check the SSSD debug logs or send them here.
bye, Sumit
Has anyone seen anything similar? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Restarting sssd made the problem go away. For better or worse.
I've increased the debug and will update if it comes back.
Memo to future self: "User account has expired" doesn't necessarily mean the account has expired - it can also mean that the account is invalid for some other reason, such as not having a HBAC rule. (This was the problem with my test account, but not with the original user's account)
freeipa-users@lists.fedorahosted.org