Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry2017-08-18 13:50:01
Debian
Dmitry, 2017-08-18 13:50:01

How to configure pam.d correctly?

Hello!
There are several servers on Debian 8 and a domain on Windows. Domain authorization is configured on Debian.
Authorization and sudo work.
The problem is that in the auth.log log, in addition to successful authorization through pam_krb5, there are messages about unsuccessful authorization through pam_unix:

sshd[30754]: pam_krb5(sshd:auth): user test authenticated as [email protected]
sshd[30754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.domain.local user=test
sshd[30754]: Accepted password for test from 172.17.18.1 port 41138 ssh2
sshd[30754]: pam_unix(sshd:session) : session opened for user test by (uid=0)
sudo: pam_krb5(sudo:auth): user test authenticated as [email protected]
sudo: pam_unix(sudo:auth): authentication failure; logname=test uid=10000 euid=0 tty=/dev/pts/0 ruser=test rhost= user=test

I suspect that in order to remove unsuccessful logs, pam.d must be configured correctly. Please tell me how it should be right.
Current configurations:
common-auth :
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    optional        pam_group.so
auth    sufficient      pam_unix.so nullok_secure  use_first_pass
auth    sufficient      pam_winbind.so use_first_pass

auth    requisite                       pam_deny.so

auth    required                        pam_permit.so

common-password :
password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass

password        requisite                       pam_deny.so

password        required                        pam_permit.so

password        required                         pam_cracklib.so retry=6 minlen=7 dcredit=-1 lcredit=-1 ocredit=0 ucredit=0
password        sufficient                       pam_unix.so remember=4 sha512 shadow nullok try_first_pass use_authtok

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
S
Saboteur, 2017-08-18
@enterdv

auth sufficient pam_unix.so nullok_secure use_first_pass auth
sufficient pam_winbind.so
use_first_pass If you have Windows users logging in more often, just swap these lines, then when logging in, unix users will swear at pam_winbind, but for example less often ..

Similar questions
S
Sviat282018-11-22 21:52:55
How to pass variables to Django form via jQuery? 1Reply
S
Schoolboy.2016-06-15 16:43:07
Is PPTP secure? 2Reply
F
fedorchuk2016-06-17 11:59:02
Problem with (free) secondary NS on VPS. How to decide? 1Reply
G
Gennady2016-06-21 10:20:10
Weird messages when running update-grub command. Is the HDD/SSD intact? 1Reply
M
Maxim Dunayevsky2014-05-19 08:55:37
Do I need to reboot Debian after updating kernel packages? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question