PAM faillock and sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi all,

I believe I have accomplished my goal, I'm just wanting to verify with the list that this is the right way to get what I want.  Our configuration is as follows.

1. RHEL 6 with some local accounts.
2. We are using sssd to authenticate to Active Directory for other accounts.
3. We don't want a faillock table maintained for sssd-authenticated users because AD has its own way to do this.
4. We _do_ want faillock for local users.

Our auth section of the system-auth-ac file previously looked like this,

auth        required
auth        required preauth audit deny=3 unlock_time=900
auth        sufficient
auth        sufficient try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        [default=die] authfail audit deny=3 unlock_time=900 fail_interval=900
auth        sufficient authsucc audit deny=3 unlock_time=900 fail_interval=900
auth        required

In order to skip the faillock stuff for the AD users, I changed the sssd line to look like this,

auth        [success=done new_authtok_reqd=done default=2] use_first_pass

Can I just confirm that I'm going about this in the correct way?  My goal is: the local linux faillock table is used when a local user fails to authenticate, but local table is not used when a sssd-authenticated user fails to authenticate (I'm hoping to let AD handle that).

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux