For the love of ${Diety}, don't adjust the common-*
parts of the PAM stack when experimenting with a new authentication setup. It is the fastest, easiest way to Hole Hawg yourself. You could potentially lock yourself out of the system permanently because of a chicken-and-egg scenario: you are locked out of the system, but you need to log into the system to make the changes needed to prevent you from being locked out.
Consider experimenting on a single service, like SSH (assuming you have console access nearby). Once you have the service prototyped/configured to your exact requirements, don't apply it right away to the common-*
files, instead, consider what impact it will have on other system services. Remember, common-*
acts as a "catch-all" for most configurations and a single mistake here means a visit to the rescue CD to get it unlocked again. Once you have a good handle on how the config will interact with different services that depend on the system's default(s), then apply it.
Another point to consider is that if you are making this change to common-*
to facilitate SSO for all services on the box, it will not catch every service, some services have their own authentication setup and you'll need to check those as well.
As far as the console messages are concerned, what has happened is that winbind is contacting your AD controller, which is seeing excessive failed login attempts. After 15 attempts (which I believe is the out-of-box number MS uses) the account is locked for a period of time, unless an administrator unlocks the account. This is why you're getting "account locked" messages when you log in - the winbind portion of your stack is failing the authentication attempts, and the process "falls through" to the next step in the stack.
I would look hard at your winbind settings to determine that the authentication is truly succeeding in the first place. If you're submitting credentials from a domain member that the AD controller doesn't like, it doesn't matter if the password is correct or not - sooner or later, the account will lock because the request is originating from what is perceived as a non-domain member. The first thing to check would be winbind's join to the domain, as this will affect if the credentials are even looked at. I would also look at how your administrative account is handled by winbind - I seem to recall there were one or two additional settings that were required to ensure proper behavior (I'll dig them out and re-edit when I have them...)
I would also recommend setting up a secondary password on the local linux box, using /etc/passwd
, so that you have "fail-though" athentication. Should the winbind service fail to authenticate (and it has in this case) /etc/passwd
will pick up the slack and allow you in. The fact that you're able to still get in seems to indicate that you've already done this by setting the local password the same as the AD password for the account your using.
Also consider installing another safety valve in the form of a sudo entry, so that a single, specific account will allow you to switch into root via sudo su
.
Although I definitely feel doublesharp's pain (just ran into this problem as well), doublesharp's answer here should not be used (not secure). The problem here is that sshd's internal-sftp is being executed before /usr/sbin/jk_chrootsh can be executed, WHICH NEEDS TO BE EXECUTED FOR SECURITY REASONS. So all you need to do to fix this issue is make sure that your /etc/ssh/sshd_config file has this line...
Subsystem sftp /usr/lib/openssh/sftp-server
... and NOT this line ...
Subsystem sftp internal-sftp
And also make sure you aren't doing any user/group matching in this file either. The big idea here is that if you are going to use jailkit for quarantining users on a Linux system, then you need to force all users through /usr/sbin/jk_chrootsh which can spin up its own sftp functionality if needed.
After you make your changes to /etc/ssh/sshd_config, make sure to restart sshd (method can vary depending on your system).
Best Answer
This could be due to a built in protection from the auditing system. Here is a relevant quote from somebody debugging your same situation. It appears as though non-root users are prevented from sending the USER_TTY records. Instead commands will be written out either when bash exits or the collection buffer fills up.
You should be able to find the information you're looking for after the user logs out.