Hi,
I’ve got small issue on Alma 9.5 and Gnome. I’m using sssd with AD and GDM for login. My Authselect configuration is sssd with-mkhomedir.
My issue is when a password is reset the gnome keyring password for login is not also reset and requires a separate step to either delete it and regenerate it or reset the password on it.
- A password is expired through AD the users are prompted to reset their password at GDM.
- User resets their password by filling out the prompts at GDM and logs in
- Their AD credentials are now reset at this point
- User clicks on Chrome (google official stable chrome for their repos)
- Gnome key ring prompts them for their old password
- At this point I get a phone call and I explain the prompt to the user and they type in their old password.
What I would like to have happen instead
- During the GDM prompt a pam module resets the gnome default keyring.
This seems possible given that pam has access to their new and their old password and manages to send it on to AD through sssd. Is there a configuration of pam that would allow this sort of situation?
I thought that with-pam-gnome-keyring from the authselect sssd profile might provide something like this, but it seems to only be for users of gnome-keyring that aren’t utilizing gdm manage sesssions.
Pam gnome keyring documentation mentions this as a feature and indeed it seems like it’s being used
jorussell@testalma:/etc/pam.d$ grep -R authtok
gdm-password:-password optional pam_gnome_keyring.so use_authtok
passwd:-password optional pam_gnome_keyring.so use_authtok
password-auth:password sufficient pam_unix.so sha512 shadow nullok use_authtok
password-auth:password sufficient pam_sss.so use_authtok
system-auth:password sufficient pam_unix.so sha512 shadow nullok use_authtok
But I would expect there to not be a password prompt again after using
gdm-password:-password optional pam_gnome_keyring.so use_authtok
like I am seeing. But I might be misinterpreting the documentation.