daugavpils

I am trying to enable AD authentication for Debian stable servers to enable users to logon via ssh authenticating against Windows AD.It all works fine and I can ssh to the server using my Windows credentials but I have noticed this message on remote ssh logon when logging on as root:

Your account has been locked. Please contact your System administrator Your account has been locked. Please contact your System administrator Your account has been locked. Please contact your System administrator Last login: Sat Jun 13 14:15:14 2009 from workstation1 server1:~#

I have checked if I can login via local console as root and oops, I cannot.Same error pops up.This could kick me painfully in the future. At the same time I have tried the same setup for RedfHat and I don't have this problem. I believe the problem is somewhere in my pam configuration but can't see where.googling for error does not get me anywhere either.

below are details for corresponding pam files on Debian and redhat

common-account

account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

account required pam_unix.so

common-auth

auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

auth required pam_unix.so nullok_secure

common-sesion

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXX

session required pam_unix.so

RedHat system-auth file:

auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_winbind.so use_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so

account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_winbind.so use_first_pass account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_first_pass password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so session required pam_winbind.so use_first_pass session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_mkhomedir.so skel=etc/skel/ umask=0027

Jonathan183

Are you sure you don't just have the root account locked on the server ... and I thought permit of root login over ssh was a really bad idea - things like rkhunter check for this.

daugavpils

OK, I found out that there is account called root on AD.
Stilit does not explain whya ssh connection fails over to shadow auth and console does not..

jledhead

what do the logs say? does root fail because of winbind or pam? in my setup, login tries AD first and then falls back to local pam. so when I log in as root I get a fail in the logs for winbind but OK with pam.

daugavpils

I have tested three servers and only one has probem. other ones are switching happily to shadow auth.Apologies for wasting your time...