CentOS

Hi all,

I am able to authenticate AD user with the help of winbind services(version 3.6.23-51.el6) in my centos 6.10 system, but my problem is system is getting locked out after 2 unsuccessful attempts even though I have kept password lockout threshold=3 in windows AD.

Thank you

Kindly assist to get it sorted!!!!

Everyone who posts on this forum is a volunteer, kindly giving their own time to help others. An attitude like this is going to result in zero answers.

I am new to this environment and my apologies for the words .

check the below in /etc/pam.d/password-auth and /etc/pam.d/password-auth-ac

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

Yes but it works, it's just working one time earlier than it ought to be.

I would trace the connection between the machine and the DC and see how many times it tries. Doing that might tell you if it really is trying 3 times and being locked out or only twice and the lockout is sooner from the Windows side.

Hi,

When we use wrong password for single unsuccessful attempt, the same is getting reflected twice at windows AD side.

Our system system-auth file :-

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

when we make wrong attempt twice below is the log
/var/log/secure

May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=eosglobe.com\100377
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): getting password (0x00000210)
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): pam_get_item returned a password
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): user 'eosglobe.com\100377' denied access (incorrect password or invalid membership)
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=eosglobe.com\100377
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): getting password (0x00000210)
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): pam_get_item returned a password
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out