0

I have Ubuntu 22.04 clients witch login with activeDirectory Domain accounts. (joined domain)

A password policy is active to force a new password every 2 month. The password can be changed on multiple plattforms (Owa, MS Teams, TerminalServer).

if a user does not change his password in Ubuntu, it doesn't get syncroniest to the Ubuntu client and only the old Password is valid for login.

in my sssd.conf i have

krb5_store_password_if_offline = True
cache_credentials = True

Because the Clients a used in homeoffice and need to login before connecting to the vpn.

is this a problem? Can i force sync. Passwords?

M41DZ3N
  • 103
  • 2

1 Answers1

2

The client (SSSD) will eventually sync the password while on VPN. If you don't want to wait, an SSSD restart (sudo systemctl restart sssd.service) should trigger a sync, but that requires elevated rights and technical skills, so it's not realistic.

Just let SSSD do its scheduled sync and it should solve itself. The next time they log in to the OS, it should ask for the new password.

In any case, forcing a new password every 2 months is absolutely nonsensical and does more harm than good. It forces users to take note of the password on sticky notes etc., so it will make the password less secure. Passwords won't "expire" on their own, they don't rot. A new password isn't stronger than an old one just because it's new. Their strength comes from length and complexity, and also multi-factor auth whenever possible.

Disclaimer: I'm an infosec officer.

bviktor
  • 900
  • 6
  • 12
  • thanks! i agree with you on new the password policy, Sadly im not in the position to change any of that. We started to rollout 2FA so maybe it will change soon. – M41DZ3N Nov 08 '22 at 08:43