pam_winbind.so has been utilized on some of our linux servers to provide AD authentication for ssh connections.
It was accomplished by editing the /etc/pam.d/login and /etc/pam.d/sshd files, which I'll post further down.
We still have a significant number of uids which are configured locally on the linux systems. I have noticed on these
local accounts that I can no longer force password changes using chage -d 0 <username> or the passwd -M 0 <username>. I haven't tested whether additional options to pam_cracklib will be enforced if added.
Was hoping a more experienced eye could catch why this is happening.
/etc/pam.d/login
# cat login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
/etc/pam.d/sshdPAM-1.0
#auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_krb5.so realm=WINDOMAINONE.COM
auth sufficient /lib/security/pam_krb5.so realm=WINDOMAINTWO.COM
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
Output from a chage -l for a user which is locally authenticated
# chage -l <localuser>
Minimum: 0
Maximum: 0
Warning: 7
Inactive: -1
Last Change: Never
Password Expires: Never
Password Inactive: Never
Account Expires: Never
When I su to this user I get prompted to change the password, however when I ssh as this user, I go right through without getting prompted using the local password that I configured. Here is the /etc/pam.d/su file
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_stack.so service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
system-auth - posted due to the references in login and sshd
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
