Skip to main content
Unix & Linux

Return to Question

Added some follow up information.
Source Link
DirkNiblick
DirkNiblick
  • 73
  • 1
  • 1
  • 5

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it. FYI, my whole config is:

[sssd]
domains = adserver.example.com
config_file_version = 2
services = nss, pam

[domain/adserver.example.com]
ad_domain = adserver.example.com
krb5_realm = adserver.example.com
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = [email protected]
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

##Update #2:## I've been using this configuration for quite some time now. I've increased the account_cache_expiration and offline_credentials_expiration from 2 to 4, but it's been working so well we've begun using this setup on our servers.

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it. FYI, my whole config is:

[sssd]
domains = adserver.example.com
config_file_version = 2
services = nss, pam

[domain/adserver.example.com]
ad_domain = adserver.example.com
krb5_realm = adserver.example.com
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = [email protected]
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it. FYI, my whole config is:

[sssd]
domains = adserver.example.com
config_file_version = 2
services = nss, pam

[domain/adserver.example.com]
ad_domain = adserver.example.com
krb5_realm = adserver.example.com
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = [email protected]
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

##Update #2:## I've been using this configuration for quite some time now. I've increased the account_cache_expiration and offline_credentials_expiration from 2 to 4, but it's been working so well we've begun using this setup on our servers.

Added whole sssd.conf file
Source Link
DirkNiblick
DirkNiblick
  • 73
  • 1
  • 1
  • 5

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it. FYI, my whole config is:

[sssd]
domains = adserver.example.com
config_file_version = 2
services = nss, pam

[domain/adserver.example.com]
ad_domain = adserver.example.com
krb5_realm = adserver.example.com
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = [email protected]
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it.

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it. FYI, my whole config is:

[sssd]
domains = adserver.example.com
config_file_version = 2
services = nss, pam

[domain/adserver.example.com]
ad_domain = adserver.example.com
krb5_realm = adserver.example.com
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = [email protected]
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
added 670 characters in body
Source Link
DirkNiblick
DirkNiblick
  • 73
  • 1
  • 1
  • 5

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it.

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

I built a CentOS 7 install on my company laptop and configured it to authenticate to the company AD servers like so:

  • Install packages:

     yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  • Add AD servers to /etc/hosts.

  • Join realm:

     realm join --user=tech adserver.example.com
 realm permit -g activedirectorygroup@domain

  • Change use_fully_qualified_names to False and fallback_homedir to /home/%u in /etc/sssd/sssd.conf.

  • Restart daemons:

     systemctl restart sssd && systemctl daemon-reload

  • Setup ITGROUP to be able to use sudo:

     echo "%ITGROUP  ALL=(ALL)  ALL" > /etc/sudoers.d/ITGROUP

Everything has been working fine. ...until I changed my password on my Windows 10 PC. In fact, the CentOS box is letting me, but just with the old password. I've done a bunch of Googling and tried a bunch of things (e.g., sss_cache -E, kdestroy -A), but I can't seem to flush the cache so I can use my new password.

So, how do I clear a user's cached Active Directory password on CentOS 7? Is there a way for a "regular" user to do that themselves (in case we wanted to roll this out to other systems)?

##Update:## I tried some of the suggestions, but the laptop wouldn't forget the old credentials. I ended up removing the PC from the realm and re-adding it. I did add this to my sssd.conf:

[sssd]
...
account_cache_expiration = 2
cached_auth_timeout = 3600
refresh_expired_interval = 4050

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2

The login seems to be caching the AD stuff, but it tells me Authenticated with cached credentials, your cached password will expire at: now when I login or sudo. I'm hoping that next time my password expires and I change it, this system will recognize it.

Removed unspecific linux tag and added more specific sssd tag.
Link
edit approved May 23, 2018 at 15:34
U880D
edit approved May 23, 2018 at 15:34
U880D
  • 1.2k
  • 12
  • 26
Source Link
DirkNiblick
DirkNiblick
  • 73
  • 1
  • 1
  • 5