Score:0

Ubuntu 22.04 ActiveDirectory Password Syncronisation

us flag

I have Ubuntu 22.04 clients witch login with activeDirectory Domain accounts. (joined domain)

A password policy is active to force a new password every 2 month. The password can be changed on multiple plattforms (Owa, MS Teams, TerminalServer).

if a user does not change his password in Ubuntu, it doesn't get syncroniest to the Ubuntu client and only the old Password is valid for login.

in my sssd.conf i have

krb5_store_password_if_offline = True
cache_credentials = True

Because the Clients a used in homeoffice and need to login before connecting to the vpn.

is this a problem? Can i force sync. Passwords?

Score:2
cl flag

The client (SSSD) will eventually sync the password while on VPN. If you don't want to wait, an SSSD restart (sudo systemctl restart sssd.service) should trigger a sync, but that requires elevated rights and technical skills, so it's not realistic.

Just let SSSD do its scheduled sync and it should solve itself. The next time they log in to the OS, it should ask for the new password.

In any case, forcing a new password every 2 months is absolutely nonsensical and does more harm than good. It forces users to take note of the password on sticky notes etc., so it will make the password less secure. Passwords won't "expire" on their own, they don't rot. A new password isn't stronger than an old one just because it's new. Their strength comes from length and complexity, and also multi-factor auth whenever possible.

Disclaimer: I'm an infosec officer.

M41DZ3N avatar
us flag
thanks! i agree with you on new the password policy, Sadly im not in the position to change any of that. We started to rollout 2FA so maybe it will change soon.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.