Centos 5.7, using LDAP as authentication.
The LDAP server is not local.
One of my admins continuously gets this message at login:
"You are required to change your password immediately (password aged)".
She attempts to change the password, which the system accepts... Then tries to log in with the new password, and again gets the "You are required to change your password immediately (password aged)" message. This will continue on in an endless loop...
Here is the LDIF of her account (scrubbed, of course):
dn: uid=annieo@domain.com,ou=domain,o=org
uid: annieo@domain.com
cn: annie
sn: o
mail: annieo@domain.com
uidNumber: 640
homeDirectory: /cust/org/users/annieo
gecos: Annie O,,
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: mirapointmailuser
objectClass: sambaSAMAccount
loginShell: /bin/bash
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaSID: S-1-5-21-...
sambaHomeDrive: F:
sambaHomePath: \\fs\cust\domain\users
gidNumber: 500
sambaPrimaryGroupSID: S-1-5-21-...
sambaLMPassword: B064...
sambaAcctFlags: [U]
sambaNTPassword: D0D5421...
sambaPwdLastSet: 1344533053
sambaPwdMustChange: 1348421053
shadowLastChange: 15561
shadowMax: 45
userPassword: {SSHA}KQnCbUN...
shadowExpire: -1
The pertinent entries from the /var/log/secure file:
Oct 1 16:16:21 web-1 sshd[3643]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mainoffice.domain.com user=annieo@domain.com
Oct 1 16:16:21 web-1 sshd[3643]: pam_unix(sshd:account): expired password for user annieo@domain.com (password aged)
Oct 1 16:16:21 web-1 sshd[3643]: Accepted password for annieo@domain.com from 192.168.1.5 port 24623 ssh2
Oct 1 16:16:21 web-1 sshd[3643]: pam_unix(sshd:session): session opened for user annieo@domain.com by (uid=0)
Oct 1 16:16:21 web-1 passwd: pam_unix(passwd:chauthtok): user "annieo@domain.com" does not exist in /etc/passwd
nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
/etc/ldap.conf:
base ou=domain,o=org
uri ldap://10.1.1.1/
binddn cn=admin,o=org
bindpw 1tsAs∑cr∑t!
scope one
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password md5
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
What exactly am I missing here? I have compared this account to mine (where I don't have any issues), and I don't see any real difference.
TIA for any insight!!!
[SOLVED] login refused based on percieved password expiry
[SOLVED] login refused based on percieved password expiry
Does [url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=31357]this older thread[/url] help at all?
Re: [SOLVED] login refused based on percieved password expiry
That did it!!!
I had changed "shadowexpire" to -1 earlier, but that did not solve the problem. Changing "shadowmax" to -1 fixed it.
Thanks TrevorH!
I had changed "shadowexpire" to -1 earlier, but that did not solve the problem. Changing "shadowmax" to -1 fixed it.
Thanks TrevorH!