This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
RobertoManzo
New Contributor
New Contributor
‎2018-03-09 01:26 PM

PAM Agent Lockcing AD User

Hi Sirs, goog afternoon!

 

I am trying to set the PAM Agent to authenticate using token and it is working fine but I have some particular things and I hope you can help me.

I am facing an issue with PAM Agent as follow:

 - When I configure the /etc/pam.d/sshd file adding the line "auth required pam_securid.so" it works fine with local user (with token and without a token) but for AD user it is working only using token, I am not able to authenticate with an AD user without a token.

   So I have made some changes to make it works, I set the parameter "PAM_IGNORE_SUPPORT_FOR_USERS para 1 " into the /etc/sd_pam.conf file and I added the three lines "auth required pam_securid.so / auth       sufficient   pam_unix.so try_first_pass / auth       sufficient   pam_krb5.so use_first_pass" into the /etc/pam.d/sshd, this way I am able to authenticate with local user (with token and without a token) and with AD user (with token and without a token) but after some successful authentication the AD user is being locked in the Active Directory and I dont know why it is happening.

I hope I have been clear, if I was not clear please let me know.

Anyone can help me?

Thanks in advance.

Regrds, 

Labels (1)
Labels
0 Likes
Reply
2 Replies
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2018-03-12 06:39 PM

Hi Robert,

I'm not sure that "use_first_pass" is the option you want to use with the pam_krb5.so configuration line. Looking at the documentation on this option:

 

use_first_pass     The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access.

 

From this description, I would not be surprised if the KRB5 PAM module is attempting to use the same password used when authenticating locally. If this password is different than the Active Directory password, I would expect you would be seeing a number of invalid password authentications being sent to your AD from the PAM agent. Depending on your lockout policy, these may be sufficient to trigger account lockout. I would perform a single authentication and check your AD event logs.

Reply
RobertoManzo
New Contributor
New Contributor
‎2018-03-12 07:46 PM

Hi Piers,

Thanks for your assistance.

 

Yes I was suspecting it. I have changed to:

auth     required    pam_securid.so

auth     sufficient   pam_unix.so

auth    [success=done new_authtok_reqd=done default=die] pam_krb5.so

...and it seemed to work. All authentication is working, local and domain user, and the the domain user isn't being locked anymore.

 

I am not familiar with Linux, what do you think about these lines?

Regards,

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.