Logging on with an expired password

If you want to allow users to log on to Centrify-managed computers even if their password has expired in Active Directory, there are additional configuration steps you must perform.

  • On each Centrify-managed computer where you want to support the Use My Account feature, open the centrifydc.conf file (etc/centrifydc/centrifydc.conf) and verify the following parameter is set to true or not set (the default is true):
    pam.allow.password.expired.access: true
  • Then edit the appropriate files as shown below:
    System typeEdit file

    Red Hat Linux computers

    (system-auth )

    • Access the /etc/pam.d/system-auth file.
    • In the auth line add deny_pwexp.
    • In the account line add skip_pwexp_check.

      For example:

      auth sufficient pam_centrifydc.so deny_pwexp ...

      account sufficient pam_centrifydc.so skip_pwexp_check

    SuSE Linux computers

    (common-auth and common-account)

    • Access the /etc/pam.d/common-auth file.
    • Edit the auth line.
    • Access the /etc/pam.d/common-account file.
    • Edit the the account line.

    Solaris, HPUX, and AIX with standard SSHD


    • Access the /etc/pam.conf file.
    • Edit the auth and account lines for ssh service.

      For example:

      ssh   auth    sufficient  pam_centrifydc  deny_pwexp 
      ssh account   sufficient  pam_centrifydc skip_pwexp_check

Note:   Changes to the auth and account settings affect all login-related services.