Getting access denied when "user must change password at next logon" is checked .
I have got a RHEL 5.6 server configured to authenticate via a Windows 2008 domain controller via LDAPS. Everything is working fine, except from the following:
When I create a new user in Active directory and check the option "user must change password at next logon", the new user cannot logon and gets an "access denied" message.
In /var/log/secure, I find the following:
Mar 1 14:43:21 cpssvn10 sshd[5363]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.12 user=testuser2
Mar 1 14:43:21 cpssvn10 sshd[5363]: pam_ldap: error trying to bind as user "CN=CPSS Testuser 2,OU=IBM,DC=cpss,DC=smarterplatform,DC=com" (Invalid credentials)
Mar 1 14:43:23 cpssvn10 sshd[5363]: Failed password for testuser2 from 192.168.3.12 port 4583 ssh2
As soon as I uncheck the "user must change ..." option, the user can log on without problems. Also password change via the passwd command works.
The security guidelines of my company require that a new user must change his password. What can I do?
|