I believe I have accomplished my goal, I'm just wanting to verify with the list that this is the right way to get what I want. Our configuration is as follows.
1. RHEL 6 with some local accounts.
2. We are using sssd to authenticate to Active Directory for other accounts.
3. We don't want a faillock table maintained for sssd-authenticated users because AD has its own way to do this.
4. We _do_ want faillock for local users.
Our auth section of the system-auth-ac file previously looked like this,
auth required pam_env.so
auth required pam_faillock.so preauth audit deny=3 unlock_time=900
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 fail_interval=900
auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=900 fail_interval=900
auth required pam_deny.so
In order to skip the faillock stuff for the AD users, I changed the sssd line to look like this,
auth [success=done new_authtok_reqd=done default=2] pam_sss.so use_first_pass
Can I just confirm that I'm going about this in the correct way? My goal is: the local linux faillock table is used when a local user fails to authenticate, but local table is not used when a sssd-authenticated user fails to authenticate (I'm hoping to let AD handle that).
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list