12 April,16 at 11:46 AM
Applies to:
All versions of Centrify DirectControl except 4.4.4 and 5.1.
Problem:
Centrify/adclient prompts Active Directory users to change their password when the password is not actually expired:
Feb 19 11:04:38 a300sua8 adclient[14096]: WARN <fd:23 sshd(25452)> Account management for user 'username': password has expired
Feb 19 11:04:40 a300sua8 adclient[14096]: WARN <fd:23 passwd(25456)> Change password for user 'username': couldn't get old password from user
This problem gets triggered only if you are trying to SSO using Kerberos authentication or using public key authentication.
Cause:
This has been identified an issue with the way the "PasswordExpires" entry is computed. This can happen under 3 or 4 circumstances.
a) User trying to login belongs to a cross domain/cross forest.
b) Microsoft Fine grain policy is involved.http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
c) S4u is involved (We failed to get S4U2Self ticket for user's located in trusted domain)
Workaround:
1) Temporarily use password authentication (interactive login)
2) Set "adclient.cache.object.lifetime" value to 1 in /etc/centrifydc/centrifydc.conf to force user object to refresh every hour, run adreload and adflush.
Note: This will disable authentication in disconnected mode.
or
3) Run adflush (as root)
Resolution:
This is fixed in Centrify DirectControl 4.4.4 and 5.1.0
keyword expiration, prompt, fine grain, s4u