pam_winbind implemented, lost local user aging - redhat AS 3

Fri Jul 11 15:28:40 UTC 2008

Hello,

pam_winbind.so has been utilized on some of our linux servers to provide AD
authentication for ssh connections.
It was accomplished by editing the /etc/pam.d/login and /etc/pam.d/sshd
files, which I'll post further down.
We still have a significant number of uids which are configured locally on
the linux systems. I have noticed on these
local accounts that I can no longer force password changes using chage -d 0
<username> or the passwd -M 0 <username>. I haven't tested whether
additional options to pam_cracklib will be enforced if added.

Was hoping a more experienced eye could catch why this is happening.

/etc/pam.d/login
# cat login
#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account       sufficient   /lib/security/pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

/etc/pam.d/sshdPAM-1.0
#auth       required    pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_krb5.so realm=WINDOMAINONE.COM
auth       sufficient   /lib/security/pam_krb5.so realm=WINDOMAINTWO.COM
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

Output from a chage -l for a user which is locally authenticated
# chage -l <localuser>
Minimum:        0
Maximum:        0
Warning:        7
Inactive:       -1
Last Change:            Never
Password Expires:       Never
Password Inactive:      Never
Account Expires:        Never

When I su to this user I get prompted to change the password, however when I
ssh as this user, I go right through without getting prompted using the
local password that I configured. Here is the /etc/pam.d/su file

#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
session    optional     /lib/security/$ISA/pam_xauth.so

system-auth - posted due to the references in login and sshd
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080711/f0c1d925/attachment.htm>