Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry2017-08-18 13:50:01
Debian
Dmitry, 2017-08-18 13:50:01

How to configure pam.d correctly?

Hello!
There are several servers on Debian 8 and a domain on Windows. Domain authorization is configured on Debian.
Authorization and sudo work.
The problem is that in the auth.log log, in addition to successful authorization through pam_krb5, there are messages about unsuccessful authorization through pam_unix:

sshd[30754]: pam_krb5(sshd:auth): user test authenticated as [email protected]
sshd[30754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.domain.local user=test
sshd[30754]: Accepted password for test from 172.17.18.1 port 41138 ssh2
sshd[30754]: pam_unix(sshd:session) : session opened for user test by (uid=0)
sudo: pam_krb5(sudo:auth): user test authenticated as [email protected]
sudo: pam_unix(sudo:auth): authentication failure; logname=test uid=10000 euid=0 tty=/dev/pts/0 ruser=test rhost= user=test

I suspect that in order to remove unsuccessful logs, pam.d must be configured correctly. Please tell me how it should be right.
Current configurations:
common-auth :
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    optional        pam_group.so
auth    sufficient      pam_unix.so nullok_secure  use_first_pass
auth    sufficient      pam_winbind.so use_first_pass

auth    requisite                       pam_deny.so

auth    required                        pam_permit.so

common-password :
password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass

password        requisite                       pam_deny.so

password        required                        pam_permit.so

password        required                         pam_cracklib.so retry=6 minlen=7 dcredit=-1 lcredit=-1 ocredit=0 ucredit=0
password        sufficient                       pam_unix.so remember=4 sha512 shadow nullok try_first_pass use_authtok

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
S
Saboteur, 2017-08-18
@enterdv

auth sufficient pam_unix.so nullok_secure use_first_pass auth
sufficient pam_winbind.so
use_first_pass If you have Windows users logging in more often, just swap these lines, then when logging in, unix users will swear at pam_winbind, but for example less often ..

Similar questions
E
enchikiben2015-05-28 10:51:39
Update PCRE on Debian? 0Reply
I
IsaevDev2017-05-14 11:45:04
Do I need to bother with chroot for PHP? 1Reply
M
Mikha Pankratov2015-06-01 14:01:41
Why don't user keyboards work? 1Reply
S
Sergey Pugovkin2017-05-17 13:41:22
Why else mysql-common next to mariadb? 1Reply
A
Artyom Dadashchyants2021-04-20 17:29:57
Why does an error appear when entering a command? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question