How do I clear a user's cached Active Directory password on CentOS 7?

centos ldap active-directory kerberos sssd
14,405

So, how do I clear a user's cached Active Directory password on CentOS 7?

Generally sss_cache should be the right way to tell sssd to re-retrieve objects it has probably already cached. But afaik sssd does indeed use the cached objects again if nothing could be retrieved from the AD.

You should always be able to reset cached credentials by setting

[domain/your-domain.tld]
...
cache_credentials = False

in the /etc/sssd/sssd.conf, restarting the sssd service and reauthenticating with your user. This way you should be able to determine if authentication over SSSD/AD works at all. To check if the complete setup is working with the current settings (without using any caches), it's always a good thing to actually delete all caches. See the info at the bottom for how to do that most effectively.

Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

I don't know how this could be safely implemented. Imho this is nothing what you want. But it shouldn't be necessary anyway. SSSD should always re-evaluate his cached credentials based on some conditions.

Most of the time it's a good idea to set the following to force re-evaluation after some days and to actually notice if something with environment is going wrong

[pam]
...
offline_credentials_expiration

as per default offline_credentials_expiration is set to 0 (No limit)

Most of the time when i want to be sure, there are no more caches in use, i do the following

systemctl stop sssd
rm /var/lib/sssd/db/*
systemctl start sssd

This can lead to a non-working sssd setup (but only if something is wrong with its setup, as all data sssd holds are simply re-retrievable from the AD).

Share:
14,405

Related videos on Youtube

DirkNiblick
Author by

DirkNiblick

Updated on September 18, 2022

Comments

  • DirkNiblick
    DirkNiblick over 1 year

    I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

    • Install packages:

      yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

    • Add AD servers to /etc/hosts.

    • Join realm:

      realm join --user=tech adserver.example.com
realm permit -g activedirectorygroup@domain

    • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

    • Restart daemons:

      systemctl restart sssd && systemctl daemon-reload

    • Setup ITGROUP to be able to use sudo:

      echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

    Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

    So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

    Update:

    I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

    [sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

    The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it. FYI, my whole config is:

    [sssd]
domains = adserver.example.com
config_file_version = 2
services = nss, pam

[domain/adserver.example.com]
ad_domain = adserver.example.com
krb5_realm = adserver.example.com
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = [email protected]
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

    Update #2:

    I've been using this configuration for quite some time now. I've increased the account_cache_expiration and offline_credentials_expiration from 2 to 4, but it's been working so well we've begun using this setup on our servers.

    • xx4h
      xx4h almost 6 years
      Are you able to login with a new user on the CentOS7 machine?
    • roaima
      roaima almost 6 years
      Do you have an entry for entry_cache_timeout in your sssd.conf? The default is 5400 seconds, which means that every user, group, password, etc. record is re-requested from the upstream provider every hour and a half.
    • DirkNiblick
      DirkNiblick almost 6 years
      I do not have an entry_cache_timeout line in my config so it should be using the default.
    • duct_tape_coder
      duct_tape_coder almost 5 years
      I would recommend removing the offline_credentials_expiration line from your config. That line seems to be responsible for the Authenticated with cached credentials message. I removed it, reset my password in ADUC and logged in again with the new password without issue.
  • Nasir Riley
    Nasir Riley almost 6 years
    The location where you want to delete the cache contents is actually: /var/lib/sss/db.
  • DirkNiblick
    DirkNiblick almost 6 years
    I tried you suggestion of adding cache_credentials = false and restarting sssd and removing the db files, but nothing I tried would make it "forget" the old password.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Linux SSSD with two AD Domains
Linux AD integration, unable to login when using Windows Server 2012 DC
SSSD Kerberos Authentication vs AD
Troubles with sssd and Active Directory Integration
Joining Linux host to Active Directory fails to update Microsoft DNS
Edit Sudoers file to allow sudo rights to a AD domain group
How to join an Active Directory with a Linux machine
Slaptest, bad configuration file
query Kerberos encryption modes supported by AD through LDAP
Build a production IPA server without integrate DNS and NTP with client