We've got Winbind/Kerberos setup on RHEL for AD authentication. Working fine however I noticed that when a password has expired, we get a warning but shell access is still granted.
What's the proper way of handling this? Can we tell PAM to close the session once it sees the password has expired?
Example:
login as: ad-user
[email protected]'s password:
Warning: password has expired.
[ad-user@server ~]$
Contents of /etc/pam.d/system-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >=
500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000
account sufficient pam_succeed_if.so user ingroup AD_Admins debug
account requisite pam_succeed_if.so user ingroup AD_Developers debug
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid <
500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000
session sufficient pam_succeed_if.so user ingroup AD_Admins debug
session requisite pam_succeed_if.so user ingroup AD_Developers debug
session optional pam_mkhomedir.so umask=0077 skel=/etc/skel
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so