Pam_Lastlog - Inactivity - How To Remove Inactivity Check for domain users

Latest response


I have an issue with RHEL7 and pam_lastlog module.
Some hardening has been implemented on the past on specific files:


where inactive=30 was set.

Due to this settings, domain accounts that was connected before the last 30 days are considered as inactive users. My case is: some services accounts don't log often on servers and so are blocked by pam.

I have removed this settings but the account is still considered as inactive (indicated on /var/log/secure). As pam don't have daemon, there is no service to restart and any case the issue still happening after reboot.

If I'm connecting with root and perform the command su username it's unlocking the account or if I'm more "violent" and clean the last logon with "lastlog -C -u username" it's also unlock the account.

But I want to know if there is a way to "unlock" all "inactive" accounts on my servers because I don't know all logins used and I have a lot of users/servers. Or to know why it's considering as inactive accounts as I have removed the inactivity parameters in pam files

I saw a way to clean the full lastlog file but I prefer keep this in the last solution because it's production servers.

Thanks for your help.


Did this question ever get answered ? Can anyone help. We have the same issue even though the inactive options has been removed from the PAM stack.