AD user accounts get locked in AD after a successful password change
This document (7017990) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
Situation
This is working as expected and users are able to authenticate.
After successfully changing an AD user's password (in AD) the users account (in AD) will eventually get locked.
The DC log blames one of the SLES servers in the environment for doing too many invalid login attempts.
The SLES server that causes the locked account is not always the same one and typically has not been authenticated to in recent memory.
Resolution
# /etc/samba/smb.conf
[global]
…
# winbind offline logon = yes
# winbind refresh tickets = yes
In addition to these changes change the pam_winbind.conf settings, like this:
# /etc/security/pam_winbind.conf
[global]
cached_login = no
krb5_auth = yes
krb5_ccache_type =
That will allow Kerberos authentications but will not allow the winbind caching of user credentials as far as Kerberos and Winbind are concerned.
From a command line, stop the relevant services with: rcsmb stop and rcnmb stop.
Then start them up again with similar commands: rcnmb start and rcsmb start.
Cause
Here is what the man page says about these Kerberos settings:
krb5_auth
pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller. Kerberos authentication must be enabled with this parameter. When Kerberos authentication can not succeed (e.g. due to clock skew), winbindd will fallback to samlogon authentication over MSRPC. When this parameter is used in conjunction with winbind refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) uptodate by refreshing it whenever necessary.
krb5_ccache_type=[type]
When pam_winbind is configured to try kerberos authentication by enabling the krb5_auth option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache. The type of credential cache can be set with this option. Currently the only supported value is: FILE. In that case a credential cache in the form of /tmp/krb5cc_UID will be created, where UID is replaced with the numeric user id. Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded.
cached_login
Winbind allows to logon using cached credentials when winbind offline logon is enabled. To use this feature from the PAM module this option must be set.
Here is what the man page says about the related smb.conf settings:
# /etc/samba/smb.conf
[global]
…
winbind offline logon = yes
winbind refresh tickets = yes
winbind refresh tickets (G)
This parameter is designed to control whether Winbind should refresh Kerberos Tickets retrieved using the pam_winbind module.
Default: winbind refresh tickets = false
Example: winbind refresh tickets = true
winbind offline logon (G)
This parameter is designed to control whether Winbind should allow to login with the pam_winbind module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache.
Default: winbind offline logon = false
Example: winbind offline logon = true
Setting the above mentioned Kerberos and Samba/winbind settings back to their default values disables the caching of credentials and avoids this problem.Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7017990
- Creation Date: 26-Aug-2016
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
