Active Directory accounts locked out after four successive logins

Latest response

Good afternoon,
Encountering a strange issue. We have winbind running on all of our linux vm’s. The first four logons to different servers work fine, there are no fat finger errors entering the password, the user windows domain account from the windows perspective has no failed logins. When we logon to a fifth server for no reason that we can see the user domain is account is locked and requires one of our windows admins to unlock the account. Has anyone seen this before?
Here is our system-auth file

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
  auth        required      pam_env.so
  auth        sufficient    pam_winbind.so try_first_pass
  auth        sufficient    pam_unix.so nullok use_first_pass
  auth        requisite     pam_succeed_if.so uid >= 500 quiet
  auth        required      pam_tally2.so deny=5 onerr=fail unlock_time=300
  auth        required      pam_deny.so

  account     required      pam_unix.so broken_shadow
  account     sufficient    pam_localuser.so
  account     sufficient    pam_succeed_if.so uid < 500 quiet
  account     required      pam_access.so
  account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
  account     required      pam_permit.so

  password    requisite     pam_cracklib.so retry=5 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=5
  password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
  password    sufficient    pam_winbind.so use_authtok
  password    required      pam_deny.so

  session     optional      pam_keyinit.so revoke
  session     required      pam_limits.so
  session     optional      pam_oddjob_mkhomedir.so
  session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session     required      pam_unix.so
  session     optional      pam_winbind.so

Here is the error message were seeing:

pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out

Thank you for any all input

Norm

Norm Long's picture

Responses

Hello

First of all, If possible try to configure pam_tally2 as explained in https://access.redhat.com/site/solutions/119243

Second, User blocks only in AD or in pam_tally2 also.

As root
[root@atolani python]# pam_tally2 -u username

Try to check if user is locked when using SSH only or it happens with console also, Check https://access.redhat.com/solutions/29233

Try to get TGT using kinit 4-5 times & check if that also locks the user on AD or not.

kinit username

Hope that helps.

Thought that pam_faillock supplanted pam_tally2 (at least, pam_faillock's called out for use in the SCAP guidance)?

The other question to ask would be "do users with the same logical name exist in both AD and /etc/passwd". What we've found in our various environments is that people sometimes make the mistake of making an /etc/passwd userid that collides with the AD namespace. Thus, even if they auth correctly against AD, as the rest of the PAM-stack is dropped through, pam_tally/pam_faillock will get incremented because the authentication against the local version of the userid fails. Looking at the OPs authfail configuration, if he's cycling through multiple login attempts in shorter order than 300 seconds, he'd end up locking the userid if there were collisions.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.