How do I clear a user's cached Active Directory password on CentOS 7?
So, how do I clear a user's cached Active Directory password on CentOS 7?
Generally sss_cache
should be the right way to tell sssd to re-retrieve objects it has probably already cached. But afaik sssd does indeed use the cached objects again if nothing could be retrieved from the AD.
You should always be able to reset cached credentials by setting
[domain/your-domain.tld]
...
cache_credentials = False
in the /etc/sssd/sssd.conf, restarting the sssd service and reauthenticating with your user. This way you should be able to determine if authentication over SSSD/AD works at all. To check if the complete setup is working with the current settings (without using any caches), it's always a good thing to actually delete all caches. See the info at the bottom for how to do that most effectively.
Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?
I don't know how this could be safely implemented. Imho this is nothing what you want. But it shouldn't be necessary anyway. SSSD should always re-evaluate his cached credentials based on some conditions.
Most of the time it's a good idea to set the following to force re-evaluation after some days and to actually notice if something with environment is going wrong
[pam]
...
offline_credentials_expiration
as per default offline_credentials_expiration
is set to 0
(No limit)
Most of the time when i want to be sure, there are no more caches in use, i do the following
systemctl stop sssd
rm /var/lib/sssd/db/*
systemctl start sssd
This can lead to a non-working sssd setup (but only if something is wrong with its setup, as all data sssd holds are simply re-retrievable from the AD).
Related videos on Youtube
DirkNiblick
Updated on September 18, 2022Comments
-
DirkNiblick over 1 year
I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:
Install packages:
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
Add AD servers to
/etc/hosts
.Join realm:
realm join --user=tech adserver.example.com realm permit -g activedirectorygroup@domain
Change
use_fully_qualified_names
toFalse
andfallback_homedir
to/home/%u
in/etc/sssd/sssd.conf
.Restart daemons:
systemctl restart sssd && systemctl daemon-reload
Setup ITGROUP to be able to use sudo:
echo "%ITGROUP ALL=(ALL) ALL" > /etc/sudoers.d/ITGROUP
Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g.,
sss_cache -E
,kdestroy -A
), but I can't seem to flush the cache so I can use my new password.So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?
Update:
I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:
[sssd] ... account_cache_expiration = 2 cached_auth_timeout = 3600 refresh_expired_interval = 4050 [pam] reconnection_retries = 3 offline_credentials_expiration = 2
The login seems to be caching the AD stuff, but it tells me
Authenticated with cached credentials, your cached password will expire at:
now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it. FYI, my whole config is:[sssd] domains = adserver.example.com config_file_version = 2 services = nss, pam [domain/adserver.example.com] ad_domain = adserver.example.com krb5_realm = adserver.example.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = simple simple_allow_groups = [email protected] account_cache_expiration = 2 cached_auth_timeout = 3600 refresh_expired_interval = 4050 [pam] reconnection_retries = 3 offline_credentials_expiration = 2
Update #2:
I've been using this configuration for quite some time now. I've increased the
account_cache_expiration
andoffline_credentials_expiration
from2
to4
, but it's been working so well we've begun using this setup on our servers.-
xx4h almost 6 yearsAre you able to login with a new user on the CentOS7 machine?
-
roaima almost 6 yearsDo you have an entry for
entry_cache_timeout
in yoursssd.conf
? The default is 5400 seconds, which means that every user, group, password, etc. record is re-requested from the upstream provider every hour and a half. -
DirkNiblick almost 6 yearsI do not have an
entry_cache_timeout
line in my config so it should be using the default. -
duct_tape_coder almost 5 yearsI would recommend removing the
offline_credentials_expiration
line from your config. That line seems to be responsible for theAuthenticated with cached credentials
message. I removed it, reset my password in ADUC and logged in again with the new password without issue.
-
Nasir Riley almost 6 yearsThe location where you want to delete the cache contents is actually:
/var/lib/sss/db
. -
DirkNiblick almost 6 yearsI tried you suggestion of adding
cache_credentials = false
and restarting sssd and removing thedb
files, but nothing I tried would make it "forget" the old password.