PBIS Open AD authentication stops working on ubuntu with errors: "user accout has expired" and "is your account locked?"
The key line is this:
sshd[18237]: error: PAM: User account has expired for DOMAIN\\USER from HOSTNAME
This indicates that a PAM module believes the account has expired. I'd focus less on auth
/session
and more on account
, which is the facility focused on account properties not related to authentication. Your first task is to identify the module causing the problem. Once you know that, it should be much easier to identify why the module thinks the user should be blocked.
Review the applicable account
modules one by one, and try adding the debug
flag to individual entries to expand the logging output if you need more hints. If truly stumped and it wouldn't violate the security of a critical environment, you can also try commenting the account
lines one at a time until you identify your culprit.
As for what changed, more than likely your PAM config was modified when these packages were installed. Chances are that the users in question were in this state all along, but the database associated with the misbehaving account
module was being bypassed. (skipped, commented, not present at all, etc.)
FYI: domainjoin-cli configure --enable pam
will re-add these lines after an upgrade as well. PBIS Open 8.x and higher properly deliver a /usr/share/pam-configs/pbis
configuration so that this shouldn't happen in the future.
Additionally, PBIS logs more specific errors to the daemon facility of syslog, so you can view them in ubuntu in /var/log/syslog
rather than /var/log/secure
.