SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
New Contributor
New Contributor

PAM Agent Lockcing AD User

Hi Sirs, goog afternoon!


I am trying to set the PAM Agent to authenticate using token and it is working fine but I have some particular things and I hope you can help me.

I am facing an issue with PAM Agent as follow:

 - When I configure the /etc/pam.d/sshd file adding the line "auth required" it works fine with local user (with token and without a token) but for AD user it is working only using token, I am not able to authenticate with an AD user without a token.

   So I have made some changes to make it works, I set the parameter "PAM_IGNORE_SUPPORT_FOR_USERS para 1 " into the /etc/sd_pam.conf file and I added the three lines "auth required / auth       sufficient try_first_pass / auth       sufficient use_first_pass" into the /etc/pam.d/sshd, this way I am able to authenticate with local user (with token and without a token) and with AD user (with token and without a token) but after some successful authentication the AD user is being locked in the Active Directory and I dont know why it is happening.

I hope I have been clear, if I was not clear please let me know.

Anyone can help me?

Thanks in advance.


Labels (1)
2 Replies
Trusted Contributor Trusted Contributor
Trusted Contributor

Hi Robert,

I'm not sure that "use_first_pass" is the option you want to use with the configuration line. Looking at the documentation on this option:


use_first_pass     The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access.


From this description, I would not be surprised if the KRB5 PAM module is attempting to use the same password used when authenticating locally. If this password is different than the Active Directory password, I would expect you would be seeing a number of invalid password authentications being sent to your AD from the PAM agent. Depending on your lockout policy, these may be sufficient to trigger account lockout. I would perform a single authentication and check your AD event logs.

New Contributor
New Contributor

Hi Piers,

Thanks for your assistance.


Yes I was suspecting it. I have changed to:

auth     required

auth     sufficient

auth    [success=done new_authtok_reqd=done default=die]

...and it seemed to work. All authentication is working, local and domain user, and the the domain user isn't being locked anymore.


I am not familiar with Linux, what do you think about these lines?