[Freeipa-users] Can't login with on client after password-auth modification

Tue Oct 25 19:34:52 UTC 2016

On ti, 25 loka 2016, Matthew Carter wrote:
>So a Gov't STIG has had me add to /etc/pam.d/password-auth:
>
>auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 
>fail_interval=900
>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 
>fail_interval=900
>account     required      pam_faillock.so
>
>So that it looks like this:
>
>auth        required      pam_env.so
>auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
>auth        sufficient    pam_unix.so nullok try_first_pass
>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
>auth        requisite     pam_succeed_if.so uid >= 500 quiet
>auth        required      pam_deny.so
>
>account     required      pam_faillock.so
>account     required      pam_unix.so
>account     sufficient    pam_localuser.so
>account     sufficient    pam_succeed_if.so uid < 500 quiet
>account     required      pam_permit.so
>
>and now IPA users get a permission denied. Local users can still log in.
>
>I'm not even sure where to start . . .
You don't have pam_sss.so anywhere so any IPA password check could not
be done, only pam_unix.so which checks /etc/passwd or /etc/shadow.

Then you'd need to wrap pam_sss use in 'auth' with pam_faillock.so too:

 pam_faillock.so preauth
 pam_sss.so ....
 pam_faillock.so authfail

-- 
/ Alexander Bokovoy