PAM authentication: AD works but local doesn't

Support for security such as Firewalls and securing linux
Post Reply
minduim
Posts: 1
Joined: 2016/09/28 15:05:30

PAM authentication: AD works but local doesn't

Post by minduim » 2016/09/29 13:39:42

Hello,
I've become the sysadmin of a bunch of CentOS servers and there's some issues I've been struggling with.

There's one server that's configured to accept logons from Active Directory accounts. That part works well, both Kerberos and PAM seem to be properly configured; the server accepts logon from AD accounts with no problems. Only that the server is also supposed to accept logons from local accounts, and that part isn't working.

I've created a new local account, here named newuser; here is what happens when I try to log in with SSH:

Code: Select all

$ ssh newuser@servername.domainname
newuser@servername.domainname's password: 
Connection to servername.domainname closed by remote host.
Connection to servername.domainname closed.
Here's what happens when I log in the server with an AD account first, then try to su to the local account:

Code: Select all

$ su - newuser
Password:
su: incorrect password
Here's the /etc/pam.d/system-auth file:

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
Here's the new user definition in /etc/passwd:

Code: Select all

newuser:x:502:100::/home/newuser:/bin/bash
I've been reading PAM documentation and trying to pinpoint the issue, to no avail. Any tips?

Thanks.

Post Reply