Hello,<br><br><br>pam_winbind.so has been utilized on some of our linux servers to provide AD authentication for ssh connections. <br>It was accomplished by editing the /etc/pam.d/login and /etc/pam.d/sshd files, which I'll post further down.<br>
We still have a significant number of uids which are configured locally on the linux systems. I have noticed on these <br>local accounts that I can no longer force password changes using chage -d 0 <username> or the passwd -M 0 <username>. I haven't tested whether additional options to pam_cracklib will be enforced if added. <br>
<br>Was hoping a more experienced eye could catch why this is happening.<br><br>/etc/pam.d/login<br># cat login<br>#%PAM-1.0<br>auth       required     pam_securetty.so<br>auth       sufficient   /lib/security/pam_winbind.so<br>
auth       sufficient   /lib/security/pam_unix.so use_first_pass<br>auth       required     pam_stack.so service=system-auth<br>auth       required     pam_nologin.so<br>account       sufficient   /lib/security/pam_winbind.so<br>
account    required     pam_stack.so service=system-auth<br>password   required     pam_stack.so service=system-auth<br>session    required     pam_stack.so service=system-auth<br>session    optional     pam_console.so<br>
<br> <br>/etc/pam.d/sshdPAM-1.0<br>#auth       required    pam_securetty.so<br>auth       sufficient   /lib/security/pam_winbind.so<br>auth       sufficient   /lib/security/pam_krb5.so realm=<a href="http://WINDOMAINONE.COM">WINDOMAINONE.COM</a><br>
auth       sufficient   /lib/security/pam_krb5.so realm=<a href="http://WINDOMAINTWO.COM">WINDOMAINTWO.COM</a><br>auth       sufficient   /lib/security/pam_unix.so use_first_pass<br>auth       required     pam_stack.so service=system-auth<br>
auth       required     pam_nologin.so<br>account    sufficient   /lib/security/pam_winbind.so<br>account    required     pam_stack.so service=system-auth<br>password   required     pam_stack.so service=system-auth<br>session    required     pam_stack.so service=system-auth<br>
session    optional     pam_console.so<br><br><br>Output from a chage -l for a user which is locally authenticated<br># chage -l <localuser><br>Minimum:        0<br>Maximum:        0<br>Warning:        7<br>Inactive:       -1<br>
Last Change:            Never<br>Password Expires:       Never<br>Password Inactive:      Never<br>Account Expires:        Never<br><br>When I su to this user I get prompted to change the password, however when I ssh as this user, I go right through without getting prompted using the local password that I configured. Here is the /etc/pam.d/su file<br>
<br>#%PAM-1.0<br>auth       sufficient   /lib/security/$ISA/pam_rootok.so<br>auth       required     /lib/security/$ISA/pam_stack.so service=system-auth<br>account    required     /lib/security/$ISA/pam_stack.so service=system-auth<br>
password   required     /lib/security/$ISA/pam_stack.so service=system-auth<br>session    required     /lib/security/$ISA/pam_stack.so service=system-auth<br>session    optional     /lib/security/$ISA/pam_xauth.so<br><br>
<br>system-auth - posted due to the references in login and sshd<br>#%PAM-1.0<br># This file is auto-generated.<br># User changes will be destroyed the next time authconfig is run.<br>auth        required      /lib/security/$ISA/pam_env.so<br>
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok<br>auth        required      /lib/security/$ISA/pam_deny.so<br><br>account     required      /lib/security/$ISA/pam_unix.so<br><br>password    required      /lib/security/$ISA/pam_cracklib.so retry=3<br>
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow<br>password    required      /lib/security/$ISA/pam_deny.so<br><br>session     required      /lib/security/$ISA/pam_limits.so<br>session     required      /lib/security/$ISA/pam_unix.so<br>
<br><br><br>