- Posted In
- Red Hat Enterprise Linux
I have an issue with RHEL7 and pam_lastlog module.
Some hardening has been implemented on the past on specific files:
where pam_lastlog.so inactive=30 was set.
Due to this settings, domain accounts that was connected before the last 30 days are considered as inactive users. My case is: some services accounts don't log often on servers and so are blocked by pam.
I have removed this settings but the account is still considered as inactive (indicated on /var/log/secure). As pam don't have daemon, there is no service to restart and any case the issue still happening after reboot.
If I'm connecting with root and perform the command su username it's unlocking the account or if I'm more "violent" and clean the last logon with "lastlog -C -u username" it's also unlock the account.
But I want to know if there is a way to "unlock" all "inactive" accounts on my servers because I don't know all logins used and I have a lot of users/servers. Or to know why it's considering as inactive accounts as I have removed the inactivity parameters in pam files
I saw a way to clean the full lastlog file but I prefer keep this in the last solution because it's production servers.
Thanks for your help.