Hello,<br><br><br>pam_winbind.so has been utilized on some of our linux servers to provide AD authentication for ssh connections. <br>It was accomplished by editing the /etc/pam.d/login and /etc/pam.d/sshd files, which I'll post further down.<br>
We still have a significant number of uids which are configured locally on the linux systems. I have noticed on these <br>local accounts that I can no longer force password changes using chage -d 0 <username> or the passwd -M 0 <username>. I haven't tested whether additional options to pam_cracklib will be enforced if added. <br>
<br>Was hoping a more experienced eye could catch why this is happening.<br><br>/etc/pam.d/login<br># cat login<br>#%PAM-1.0<br>auth required pam_securetty.so<br>auth sufficient /lib/security/pam_winbind.so<br>
auth sufficient /lib/security/pam_unix.so use_first_pass<br>auth required pam_stack.so service=system-auth<br>auth required pam_nologin.so<br>account sufficient /lib/security/pam_winbind.so<br>
account required pam_stack.so service=system-auth<br>password required pam_stack.so service=system-auth<br>session required pam_stack.so service=system-auth<br>session optional pam_console.so<br>
<br> <br>/etc/pam.d/sshdPAM-1.0<br>#auth required pam_securetty.so<br>auth sufficient /lib/security/pam_winbind.so<br>auth sufficient /lib/security/pam_krb5.so realm=<a href="http://WINDOMAINONE.COM">WINDOMAINONE.COM</a><br>
auth sufficient /lib/security/pam_krb5.so realm=<a href="http://WINDOMAINTWO.COM">WINDOMAINTWO.COM</a><br>auth sufficient /lib/security/pam_unix.so use_first_pass<br>auth required pam_stack.so service=system-auth<br>
auth required pam_nologin.so<br>account sufficient /lib/security/pam_winbind.so<br>account required pam_stack.so service=system-auth<br>password required pam_stack.so service=system-auth<br>session required pam_stack.so service=system-auth<br>
session optional pam_console.so<br><br><br>Output from a chage -l for a user which is locally authenticated<br># chage -l <localuser><br>Minimum: 0<br>Maximum: 0<br>Warning: 7<br>Inactive: -1<br>
Last Change: Never<br>Password Expires: Never<br>Password Inactive: Never<br>Account Expires: Never<br><br>When I su to this user I get prompted to change the password, however when I ssh as this user, I go right through without getting prompted using the local password that I configured. Here is the /etc/pam.d/su file<br>
<br>#%PAM-1.0<br>auth sufficient /lib/security/$ISA/pam_rootok.so<br>auth required /lib/security/$ISA/pam_stack.so service=system-auth<br>account required /lib/security/$ISA/pam_stack.so service=system-auth<br>
password required /lib/security/$ISA/pam_stack.so service=system-auth<br>session required /lib/security/$ISA/pam_stack.so service=system-auth<br>session optional /lib/security/$ISA/pam_xauth.so<br><br>
<br>system-auth - posted due to the references in login and sshd<br>#%PAM-1.0<br># This file is auto-generated.<br># User changes will be destroyed the next time authconfig is run.<br>auth required /lib/security/$ISA/pam_env.so<br>
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok<br>auth required /lib/security/$ISA/pam_deny.so<br><br>account required /lib/security/$ISA/pam_unix.so<br><br>password required /lib/security/$ISA/pam_cracklib.so retry=3<br>
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow<br>password required /lib/security/$ISA/pam_deny.so<br><br>session required /lib/security/$ISA/pam_limits.so<br>session required /lib/security/$ISA/pam_unix.so<br>
<br><br><br>