In testing the effects of the passwd command, I have found the following...
I run the passwd command with an account having an Active Directory name as well. If I disobey the prompt: (current) UNIX password: and enter my AD authentication, it changes the AD password rather than the local password. That might be desirable in some situations, but we don' t want that to happen. Here is our system-auth, which ssh is using. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow try_first_pass use_authtok password sufficient pam_winbind.so try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so winbind is not set in /etc/nsswitch.conf . We have simply: passwd: files This Redhat server also has a samba service, which authenticates off AD, so it has joined the domain as a machine. Is there room for improvement in our pam settings which would prevent inadvertent reset of the AD account authentication? --Donald _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
