[lmi] redhat server, PAM, LDAP

lmi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lmi] redhat server, PAM, LDAP

From:	Greg Chicares
Subject:	[lmi] redhat server, PAM, LDAP
Date:	Mon, 12 Oct 2020 21:13:12 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0

There's no real question or problem here, but for your amusement...

A while ago, I added a user 'nemo' to a corporate RHEL server.
That new user appeared in /etc/passwd, although all official users
aren't there (I think LDAP is used instead). All I wanted was an
unprivileged throwaway account that I could use for chroot testing.
In particular, if Kim created a chroot, then I didn't have the
required permissions on all the files therein, and vice versa;
but I figured that both of us would be able to do anything that
'nemo' could do.

That worked until today. Now:

$sudo schroot --chroot=lmi_bullseye_3 --user=nemo
E: You are required to change your password immediately (password aged)
E: PAM error: Authentication token is no longer valid; new one required

That seems impossible, because nemo's password never expires:

$sudo schroot --chroot=chroot:lmi_bullseye_3
#chage --list nemo
Last password change                                    : Oct 12, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

I tried resetting it, in the hope that desperate measures would work...

#chage -d $(date "+%F") -E 2100-01-01 -I -1 -m 0 -M 99998 -W 31 nemo
#chage --list nemo
Last password change                                    : Oct 12, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Jan 01, 2100
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99998
Number of days of warning before password expires       : 31
#exit

...but no:

$sudo schroot --chroot=lmi_bullseye_3 --user=nemo
E: You are required to change your password immediately (password aged)
E: PAM error: Authentication token is no longer valid; new one required

I guess running 'useradd' as a mere superuser creates an
account that an updated PAM considers an abomination.
Too bad--now we'll have to test this the hard way again.

[Prev in Thread]

Current Thread

[Next in Thread]

[lmi] redhat server, PAM, LDAP, Greg Chicares <=
- Re: [lmi] redhat server, PAM, LDAP, Vadim Zeitlin, 2020/10/12
  - Re: [lmi] redhat server, PAM, LDAP, Greg Chicares, 2020/10/12
    - Re: [lmi] redhat server, PAM, LDAP, Vadim Zeitlin, 2020/10/12

Prev by Date: Re: [lmi] PATCH: Submodule changes
Next by Date: Re: [lmi] redhat server, PAM, LDAP
Previous by thread: [lmi] PATCH: Submodule changes
Next by thread: Re: [lmi] redhat server, PAM, LDAP
Index(es):
- Date
- Thread