1
I'm using LDAP on a Debian 9.8 system. After receiving a
Your account has expired; please contact your system administrator
for one of my users, I tried unsuccessfully several of the solutions online but none of them seemed to work fully. I did manage to regain access to the user by changing the password from root (sudo passwd user
), but the message kept appearing even though access was granted!
I found that if I comment:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
on pam.d/common_account the message disappears, but it also dissapears for all other users that are rightfully expired. How come pam_unix.so (and not pam_ldap) is able to say whether the user account is expired? (/etc/passwd and /etc/shadow do not have user info)
And of course, please advise on how to remove the account expired note from the user whose password has been renewed.
Thanks!