[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: pam_winbind implemented, lost local user aging - redhat AS 3



On Fri, Jul 11, 2008 at 11:28:40AM -0400, Jason Kimbrough wrote:
> pam_winbind.so has been utilized on some of our linux servers to provide AD
> authentication for ssh connections.
> It was accomplished by editing the /etc/pam.d/login and /etc/pam.d/sshd
> files, which I'll post further down.
> We still have a significant number of uids which are configured locally on
> the linux systems. I have noticed on these
> local accounts that I can no longer force password changes using chage -d 0
> <username> or the passwd -M 0 <username>. I haven't tested whether
> additional options to pam_cracklib will be enforced if added.

> Was hoping a more experienced eye could catch why this is happening.

<snip>

> Output from a chage -l for a user which is locally authenticated
> # chage -l <localuser>
> Minimum:        0
> Maximum:        0
> Warning:        7
> Inactive:       -1
> Last Change:            Never
> Password Expires:       Never
> Password Inactive:      Never
> Account Expires:        Never

> When I su to this user I get prompted to change the password, however when I
> ssh as this user, I go right through without getting prompted using the
> local password that I configured. Here is the /etc/pam.d/su file

Well, I guess this user also exists in the domain, not just in the local
password database, no?  If you have overlapping account names between the
local Unix database and the Windows domain, and you want the local accounts
to *only* ever authenticate using the local information, then you should
structure your PAM config so that Unix is listed first.

I didn't notice any errors in your config, otherwise; i.e., it looks like
you have things correctly structured such that usernames that *only* exist
locally can only be authenticated via pam_unix, and will therefore have to
deal with the password aging.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@xxxxxxxxxx                                     vorlon@xxxxxxxxxx

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

Add to Google Powered by Linux