[tac_plus] Issues with tac_plus and PAM on AD Authenticated RHEL 7

[Ann Morton]

Good Afternoon,

We have a RHEL 7 server that is AD authenticated via Kerberos/realmd/sssd. I previously had pam_tally2 configured in the system-auth & password-auth modules to deny=3 unlock=1800. Whenever my network admin would login to a network device regardless if the login was correct it would lock her out. I had to uncomment the pam_tally2 sections of the files to alleviate the lockout  issues. Is there a config I'm missing that would allow for using pam_tally2 but not lockout users?

Current configs:
/etc/pam.d/system-auth & password-auth
auth        required      pam_env.so
#auth        required      pam_tally2.so deny=3 unlock_time=1800
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
#account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12 minclass=3 lcredit=1 dcredit=1 ocredit=1 ucredit=1 difok=1
password    sufficient    pam_unix.so md5 remember=10 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so



/etc/pam.d/tac_plus
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth


Any help is much appreciated.

Thanks,

Ann Morton
Interim Manager
Server Response Team
NWRDC
850-645-3540


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20190402/2e195a97/attachment.html>