winbind authentication

General support questions
Post Reply
vibin_203
Posts: 3
Joined: 2019/02/15 15:46:56

winbind authentication

Post by vibin_203 » 2019/02/15 15:59:46

Hi all,

I am able to authenticate AD user with the help of winbind services(version 3.6.23-51.el6) in my centos 6.10 system, but my problem is system is getting locked out after 2 unsuccessful attempts even though I have kept password lockout threshold=3 in windows AD.

Thank you
Last edited by vibin_203 on 2019/02/16 02:32:32, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 26303
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: winbind authentication

Post by TrevorH » 2019/02/15 16:53:39

Kindly assist to get it sorted!!!!
Everyone who posts on this forum is a volunteer, kindly giving their own time to help others. An attitude like this is going to result in zero answers.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

vibin_203
Posts: 3
Joined: 2019/02/15 15:46:56

Re: winbind authentication

Post by vibin_203 » 2019/02/16 02:29:03

I am new to this environment and my apologies for the words .

sreddy317
Posts: 1
Joined: 2019/04/10 09:20:52

Re: winbind authentication

Post by sreddy317 » 2019/04/10 11:20:03

check the below in /etc/pam.d/password-auth and /etc/pam.d/password-auth-ac

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

User avatar
TrevorH
Forum Moderator
Posts: 26303
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: winbind authentication

Post by TrevorH » 2019/04/13 14:55:43

Yes but it works, it's just working one time earlier than it ought to be.

I would trace the connection between the machine and the DC and see how many times it tries. Doing that might tell you if it really is trying 3 times and being locked out or only twice and the lockout is sooner from the Windows side.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

vibin_203
Posts: 3
Joined: 2019/02/15 15:46:56

Re: winbind authentication

Post by vibin_203 » 2019/05/09 09:29:52

Hi,

When we use wrong password for single unsuccessful attempt, the same is getting reflected twice at windows AD side.

Our system system-auth file :-

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

when we make wrong attempt twice below is the log
/var/log/secure

May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=eosglobe.com\100377
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): getting password (0x00000210)
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): pam_get_item returned a password
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
May 8 16:38:58 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): user 'eosglobe.com\100377' denied access (incorrect password or invalid membership)
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=eosglobe.com\100377
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): getting password (0x00000210)
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): pam_get_item returned a password
May 8 16:40:08 eos-hs-noc-008 pam: gdm-password: pam_winbind(gdm-password:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out

Post Reply