pam_winbind implemented, lost local user aging - redhat AS 3
Jason Kimbrough
rc6dotd at gmail.com
Fri Jul 11 15:28:40 UTC 2008
Hello,
pam_winbind.so has been utilized on some of our linux servers to provide AD
authentication for ssh connections.
It was accomplished by editing the /etc/pam.d/login and /etc/pam.d/sshd
files, which I'll post further down.
We still have a significant number of uids which are configured locally on
the linux systems. I have noticed on these
local accounts that I can no longer force password changes using chage -d 0
<username> or the passwd -M 0 <username>. I haven't tested whether
additional options to pam_cracklib will be enforced if added.
Was hoping a more experienced eye could catch why this is happening.
/etc/pam.d/login
# cat login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
/etc/pam.d/sshdPAM-1.0
#auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_krb5.so realm=WINDOMAINONE.COM
auth sufficient /lib/security/pam_krb5.so realm=WINDOMAINTWO.COM
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
Output from a chage -l for a user which is locally authenticated
# chage -l <localuser>
Minimum: 0
Maximum: 0
Warning: 7
Inactive: -1
Last Change: Never
Password Expires: Never
Password Inactive: Never
Account Expires: Never
When I su to this user I get prompted to change the password, however when I
ssh as this user, I go right through without getting prompted using the
local password that I configured. Here is the /etc/pam.d/su file
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_stack.so service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
system-auth - posted due to the references in login and sshd
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080711/f0c1d925/attachment.htm>
More information about the Pam-list
mailing list