[tac_plus] Issues with tac_plus and PAM on AD Authenticated RHEL 7

heasley heas at shrubbery.net
Wed Apr 3 17:13:28 UTC 2019 

Tue, Apr 02, 2019 at 04:54:07PM +0000, Ann Morton:
> Good Afternoon,
> 
> We have a RHEL 7 server that is AD authenticated via Kerberos/realmd/sssd. I previously had pam_tally2 configured in the system-auth & password-auth modules to deny=3 unlock=1800. Whenever my network admin would login to a network device regardless if the login was correct it would lock her out. I had to uncomment the pam_tally2 sections of the files to alleviate the lockout  issues. Is there a config I'm missing that would allow for using pam_tally2 but not lockout users?

I do not know; I have never used this pam module.  I would look for debugging
options for the module; something that would indicate how many times it is
invoked, and in theory triggered to record success or failure.  One might also
strace the tacacs daemon and enable its debugging to see its interaction with
PAM.  also, check for errors in the pam config; perhaps including the module
at the wrong point or multiple times.

> Current configs:
> /etc/pam.d/system-auth & password-auth
> auth        required      pam_env.so
> #auth        required      pam_tally2.so deny=3 unlock_time=1800
> auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
> auth        [default=1 ignore=ignore success=ok] pam_localuser.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so forward_pass
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so
> #account     required      pam_tally2.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=12 minclass=3 lcredit=1 dcredit=1 ocredit=1 ucredit=1 difok=1
> password    sufficient    pam_unix.so md5 remember=10 shadow nullok try_first_pass use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> 
> 
> 
> /etc/pam.d/tac_plus
> auth       required     pam_nologin.so
> auth       include      system-auth
> account    include      system-auth
> password   include      system-auth
> session    include      system-auth
> 
> 
> Any help is much appreciated.
> 
> Thanks,
> 
> Ann Morton
> Interim Manager
> Server Response Team
> NWRDC
> 850-645-3540
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20190402/2e195a97/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus

More information about the tac_plus mailing list