For the love of ${Diety}, don't adjust the common-*
parts of the PAM stack when experimenting with a new authentication setup. It is the fastest, easiest way to Hole Hawg yourself. You could potentially lock yourself out of the system permanently because of a chicken-and-egg scenario: you are locked out of the system, but you need to log into the system to make the changes needed to prevent you from being locked out.
Consider experimenting on a single service, like SSH (assuming you have console access nearby). Once you have the service prototyped/configured to your exact requirements, don't apply it right away to the common-*
files, instead, consider what impact it will have on other system services. Remember, common-*
acts as a "catch-all" for most configurations and a single mistake here means a visit to the rescue CD to get it unlocked again. Once you have a good handle on how the config will interact with different services that depend on the system's default(s), then apply it.
Another point to consider is that if you are making this change to common-*
to facilitate SSO for all services on the box, it will not catch every service, some services have their own authentication setup and you'll need to check those as well.
As far as the console messages are concerned, what has happened is that winbind is contacting your AD controller, which is seeing excessive failed login attempts. After 15 attempts (which I believe is the out-of-box number MS uses) the account is locked for a period of time, unless an administrator unlocks the account. This is why you're getting "account locked" messages when you log in - the winbind portion of your stack is failing the authentication attempts, and the process "falls through" to the next step in the stack.
I would look hard at your winbind settings to determine that the authentication is truly succeeding in the first place. If you're submitting credentials from a domain member that the AD controller doesn't like, it doesn't matter if the password is correct or not - sooner or later, the account will lock because the request is originating from what is perceived as a non-domain member. The first thing to check would be winbind's join to the domain, as this will affect if the credentials are even looked at. I would also look at how your administrative account is handled by winbind - I seem to recall there were one or two additional settings that were required to ensure proper behavior (I'll dig them out and re-edit when I have them...)
I would also recommend setting up a secondary password on the local linux box, using /etc/passwd
, so that you have "fail-though" athentication. Should the winbind service fail to authenticate (and it has in this case) /etc/passwd
will pick up the slack and allow you in. The fact that you're able to still get in seems to indicate that you've already done this by setting the local password the same as the AD password for the account your using.
Also consider installing another safety valve in the form of a sudo entry, so that a single, specific account will allow you to switch into root via sudo su
.
Restore you pam files to the original versions. Install the libnss-ldap package which will integrate ldap access into pam. You may also want to install nscd.
Configure your server in /etc/ldap.conf.
Edit /etc/nsswitch.conf adding ldap to the end of the lines for passwd group and shadow.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
Check to see if 'sudo getent shadow' is working for ldap entries. Check that you can get an authenticated connection using ldap-search from ldap-utils using your /etc/ldap.conf connection data.
Depending on your configuration you will also have to configure ssl values in /etc/ldap.conf.
Best Answer
I believe the
pam-auth-update
command resets to defaults.