PAM Winbind 密码过期

tag-icon tag-icon ssh pam winbind
PAM Winbind 密码过期

我们在 RHEL 上设置了 Winbind/Kerberos 以进行 AD 身份验证。运行正常,但我注意到当密码过期时,我们会收到警告,但仍然授予 shell 访问权限。

处理此问题的正确方法是什么?我们可以告诉 PAM 在密码过期后关闭会话吗?

例子:

login as: ad-user
[email protected]'s password:
Warning: password has expired.
[ad-user@server ~]$

/etc/pam.d/system-auth 的内容:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000
account     sufficient    pam_succeed_if.so user ingroup AD_Admins debug
account     requisite     pam_succeed_if.so user ingroup AD_Developers debug
account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000
session     sufficient    pam_succeed_if.so user ingroup AD_Admins debug
session     requisite     pam_succeed_if.so user ingroup AD_Developers debug
session     optional      pam_mkhomedir.so umask=0077 skel=/etc/skel
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

答案1

我们需要知道uid您登录的用户的数字才能确定。以下是推测。

授权锁定通常发生在account堆栈内,因此让我们从那里开始查看。终止模块堆栈的条目立即值得怀疑。我done在这里看不到任何地方,因此sufficient我们需要关注带有的行。这让我们专注于堆栈顶部的这些行:

account     [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000
account     sufficient    pam_succeed_if.so user ingroup AD_Admins debug
account     requisite     pam_succeed_if.so user ingroup AD_Developers debug
account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
  • 如果数字 uid <= 10000000 且是 AD_Admins 组的成员,则帐户堆栈将以成功行 2 终止。
  • 如果用户除了/etc/passwdLDAP 之外还有条目,则帐户堆栈将在第 6 行成功终止。
  • 如果数字 uid < 500,则帐户堆栈将在第 7 行成功终止。(这不太可能是罪魁祸首,因为您在堆栈中检查 >= 500 auth

所有上述情况都将导致帐户堆栈在pam_krb5.so和的会计检查之前终止pam_windbind.so

相关内容