Active Directory accounts locked out after four successive logins

Latest response

Good afternoon,
Encountering a strange issue. We have winbind running on all of our linux vm’s. The first four logons to different servers work fine, there are no fat finger errors entering the password, the user windows domain account from the windows perspective has no failed logins. When we logon to a fifth server for no reason that we can see the user domain is account is locked and requires one of our windows admins to unlock the account. Has anyone seen this before?
Here is our system-auth file

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
  auth        required
  auth        sufficient try_first_pass
  auth        sufficient nullok use_first_pass
  auth        requisite uid >= 500 quiet
  auth        required deny=5 onerr=fail unlock_time=300
  auth        required

  account     required broken_shadow
  account     sufficient
  account     sufficient uid < 500 quiet
  account     required
  account     [default=bad success=ok user_unknown=ignore]
  account     required

  password    requisite retry=5 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=5
  password    sufficient md5 shadow nullok try_first_pass use_authtok
  password    sufficient use_authtok
  password    required

  session     optional revoke
  session     required
  session     optional
  session     [success=1 default=ignore] service in crond quiet use_uid
  session     required
  session     optional

Here is the error message were seeing:

pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out

Thank you for any all input




First of all, If possible try to configure pam_tally2 as explained in

Second, User blocks only in AD or in pam_tally2 also.

As root
[root@atolani python]# pam_tally2 -u username

Try to check if user is locked when using SSH only or it happens with console also, Check

Try to get TGT using kinit 4-5 times & check if that also locks the user on AD or not.

kinit username

Hope that helps.

Thought that pam_faillock supplanted pam_tally2 (at least, pam_faillock's called out for use in the SCAP guidance)?

The other question to ask would be "do users with the same logical name exist in both AD and /etc/passwd". What we've found in our various environments is that people sometimes make the mistake of making an /etc/passwd userid that collides with the AD namespace. Thus, even if they auth correctly against AD, as the rest of the PAM-stack is dropped through, pam_tally/pam_faillock will get incremented because the authentication against the local version of the userid fails. Looking at the OPs authfail configuration, if he's cycling through multiple login attempts in shorter order than 300 seconds, he'd end up locking the userid if there were collisions.