PAM faillock and sssd

Bryan Harris bryanlharris at me.com
Thu Jun 6 12:14:40 UTC 2013


Hi all,

I believe I have accomplished my goal, I'm just wanting to verify with the list that this is the right way to get what I want.  Our configuration is as follows.

1. RHEL 6 with some local accounts.
2. We are using sssd to authenticate to Active Directory for other accounts.
3. We don't want a faillock table maintained for sssd-authenticated users because AD has its own way to do this.
4. We _do_ want faillock for local users.

Our auth section of the system-auth-ac file previously looked like this,

auth        required      pam_env.so
auth        required      pam_faillock.so preauth audit deny=3 unlock_time=900
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 fail_interval=900
auth        sufficient    pam_faillock.so authsucc audit deny=3 unlock_time=900 fail_interval=900
auth        required      pam_deny.so

In order to skip the faillock stuff for the AD users, I changed the sssd line to look like this,

auth        [success=done new_authtok_reqd=done default=2]    pam_sss.so use_first_pass

Can I just confirm that I'm going about this in the correct way?  My goal is: the local linux faillock table is used when a local user fails to authenticate, but local table is not used when a sssd-authenticated user fails to authenticate (I'm hoping to let AD handle that).
Bryan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20130606/a3b8907a/attachment.htm>


More information about the Pam-list mailing list