Find the answer to your Linux question:
Results 1 to 5 of 5
I am trying to enable AD authentication for Debian stable servers to enable users to logon via ssh authenticating against Windows AD.It all works fine and I can ssh to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2009
    Posts
    6

    Console user locked out - pam problems?


    I am trying to enable AD authentication for Debian stable servers to enable users to logon via ssh authenticating against Windows AD.It all works fine and I can ssh to the server using my Windows credentials but I have noticed this message on remote ssh logon when logging on as root:

    Your account has been locked. Please contact your System administrator Your account has been locked. Please contact your System administrator Your account has been locked. Please contact your System administrator Last login: Sat Jun 13 14:15:14 2009 from workstation1 server1:~#

    I have checked if I can login via local console as root and oops, I cannot.Same error pops up.This could kick me painfully in the future. At the same time I have tried the same setup for RedfHat and I don't have this problem. I believe the problem is somewhere in my pam configuration but can't see where.googling for error does not get me anywhere either.

    below are details for corresponding pam files on Debian and redhat

    common-account

    account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    account required pam_unix.so

    common-auth

    auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    auth required pam_unix.so nullok_secure

    common-sesion

    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX

    session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXX

    session required pam_unix.so

    RedHat system-auth file:

    auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_winbind.so use_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so

    account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_winbind.so use_first_pass account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_first_pass password required pam_deny.so

    session optional pam_keyinit.so revoke session required pam_limits.so session required pam_winbind.so use_first_pass session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_mkhomedir.so skel=etc/skel/ umask=0027

  2. #2
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,042
    Are you sure you don't just have the root account locked on the server ... and I thought permit of root login over ssh was a really bad idea - things like rkhunter check for this.

  3. #3
    Just Joined!
    Join Date
    May 2009
    Posts
    6
    OK, I found out that there is account called root on AD.
    Stilit does not explain whya ssh connection fails over to shadow auth and console does not..

  4. #4
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    what do the logs say? does root fail because of winbind or pam? in my setup, login tries AD first and then falls back to local pam. so when I log in as root I get a fail in the logs for winbind but OK with pam.

  5. #5
    Just Joined!
    Join Date
    May 2009
    Posts
    6
    I have tested three servers and only one has probem. other ones are switching happily to shadow auth.Apologies for wasting your time...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •