PAM Winbind Expired Password

Posted by kernelpanic on Server Fault See other posts from Server Fault or by kernelpanic
Published on 2013-11-07T16:55:10Z Indexed on 2013/11/08 3:59 UTC
Read the original article Hit count: 595

Filed under:
|
|

We've got Winbind/Kerberos setup on RHEL for AD authentication. Working fine however I noticed that when a password has expired, we get a warning but shell access is still granted.

What's the proper way of handling this? Can we tell PAM to close the session once it sees the password has expired?

Example:

login as: ad-user
[email protected]'s password:
Warning: password has expired.
[ad-user@server ~]$ 

Contents of /etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000
account     sufficient    pam_succeed_if.so user ingroup AD_Admins debug
account     requisite     pam_succeed_if.so user ingroup AD_Developers debug
account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000
session     sufficient    pam_succeed_if.so user ingroup AD_Admins debug
session     requisite     pam_succeed_if.so user ingroup AD_Developers debug
session     optional      pam_mkhomedir.so umask=0077 skel=/etc/skel
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

© Server Fault or respective owner

Related posts about ssh

Related posts about pam