PAM faillock and sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I believe I have accomplished my goal, I'm just wanting to verify with the list that this is the right way to get what I want.  Our configuration is as follows.

1. RHEL 6 with some local accounts.
2. We are using sssd to authenticate to Active Directory for other accounts.
3. We don't want a faillock table maintained for sssd-authenticated users because AD has its own way to do this.
4. We _do_ want faillock for local users.

Our auth section of the system-auth-ac file previously looked like this,

auth        required      pam_env.so
auth        required      pam_faillock.so preauth audit deny=3 unlock_time=900
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 fail_interval=900
auth        sufficient    pam_faillock.so authsucc audit deny=3 unlock_time=900 fail_interval=900
auth        required      pam_deny.so

In order to skip the faillock stuff for the AD users, I changed the sssd line to look like this,

auth        [success=done new_authtok_reqd=done default=2]    pam_sss.so use_first_pass

Can I just confirm that I'm going about this in the correct way?  My goal is: the local linux faillock table is used when a local user fails to authenticate, but local table is not used when a sssd-authenticated user fails to authenticate (I'm hoping to let AD handle that).
Bryan

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux