pam_faillock and AD/CentOS 7.2

Solution 1

Your problem is that you did not adjust the PAM stack accordingly, specifically the "skip" counts on the lines using the bracket notation. If you're not familiar with that notation, RTFM pam.conf(5), which also lists the bracket notation equivalents of "required", sufficient", etc.

The default auth section for RHEL 7 with sssd configured looks like this:

auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

The pam_localuser line says the default action is to skip one module (pam_unix in this case), but in case of success (i.e. the user is local), proceed normally. This is done so that domain (non-local) users do not generate a failed login attempt with pam_unix but instead skip directly to sssd (pam_sss, with a uid >= 1000 check beforehand).

Also note the default=die setting on pam_unix, which means a failed local login will abort the authentication stack right there (and not even try pam_sss). Similarly, success=done does the same for successful logins.

As has been already mentioned, pam_faillock does not apply to domain users, but if you're using it for local accounts and inserting three calls to it around pam_unix, you'll need to change the pam_localuser line to default=4, so that domain logins will continue to work. (With default=1, it will skip pam_faillock but proceed to pam_unix, which will obviously fail for domain accounts, and because of default=die, abort immediately. Setting default=4 will skip to pam_succeed_if, as it previously did.)

I'm not familiar with pam_faillock, so I can't say if calling it again after pam_unix is proper, but if that is correct, you'll also need to do something about the success=done and default=die on pam_unix, or else it will never make it to pam_faillock to lock/unlock accounts.

This is a complex PAM stack; you might consult the example configurations in pam_faillock(8). Make sure you don't accidentally let everyone in (hopefully, the pam_deny at the end takes care of that), and be sure to adjust any default=N counts when adding or remove subsequent lines.

TL;DR: [default=1] means skip one line afterwards (pam_unix in this case). Adding lines requires adjusting the count.

Solution 2

This is my password-auth file and it seems to work OK:

# Setup PAM Env
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=4000000
# Check if Local User, if fail skip to SSSD part
auth        [success=ok default=4]  pam_localuser.so

# Local User - Load pre-auth, if fail end
auth        [success=ok default=2]  pam_faillock.so preauth deny=3 unlock_time=604800 fail_interval=900

# Local User - Attempt Auth, if fail end
auth        [success=ok default=1]  pam_unix.so

# Lcaol User - Sucess, clear lock tally, end
auth        [default=done]          pam_faillock.so authsucc

# Local User - Fail, update lock tally, end
auth        [default=die]           pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

# SSSD User  - Ensure uid is not system uid
auth        requisite     pam_succeed_if.so debug uid >= 1000

# SSSD User  - Attempt Auth
auth        sufficient    pam_sss.so

# Catchall   - Default result if nothin passes
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

AD user does not appear in the faillock output after a failed login, local user does.

UPDATE: I added some comments explaining the important steps in the PAM config. Hope this helps.

Related videos on Youtube

19 : 07

THỰC HÀNH CENTOS 7 JOIN DOMAIN | Khóa học LINUX LPI-2 | Trung tâm Athena

Trung Tam Athena

297

08 : 00 : 12

THỰC HÀNH CENTOS 7 JOIN DOMAIN | Trung tâm Athena

Trung Tam Athena

230

19 : 08

Bài: Centos 7 Join Domain Window Server 2016

Nhan Le

199

25 : 08

How to configure samba server in centos 7 , redhat 7 (public and private share)

Android and Tech Solutions

43

14 : 06

一隻IT狗系列：How to Integrate CentOS 7/8 or RHEL 7/8 with Windows Active Directory

一個人的雜誌

23

03 : 53

pam_faillock and AD/CentOS 7.2 (2 Solutions!!)

Roel Van de Paar

10

09 : 49

CentOS LDAP configuration with active directory.

BoredAdmin

2

11 : 03

How to add a Centos computer to a Windows Domain

jeff 2146

1

19 : 10

How to join Linux CentOS/RHEL to a Windows AD-DS Domain | CentOS 8 & Windows Server 2019

NetITGeeks

1

Author by

skinsbrew

Updated on September 18, 2022