SUSE Support

Here When You Need Us

AD user accounts get locked in AD after a successful password change

This document (7017990) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15

Situation

The SLES servers in the environment are all configured to use Kerberos to authenticate AD users.
This is working as expected and users are able to authenticate.

After successfully changing an AD user's password (in AD) the users account (in AD) will eventually get locked.

The DC log blames one of the SLES servers in the environment for doing too many invalid login attempts.

The SLES server that causes the locked account is not always the same one and typically has not been authenticated to in recent memory.

Resolution

In the /etc/samba/samba.conf file of the SLES server that is blamed for causing the user account to be locked either comment out these two lines or make sure that they are not declared.  (This is the default configuration.)

# /etc/samba/smb.conf
[global]

#    winbind offline logon = yes
#    winbind refresh tickets = yes

In addition to these changes change the pam_winbind.conf settings, like this:

# /etc/security/pam_winbind.conf
[global]
     cached_login = no
     krb5_auth = yes
     krb5_ccache_type =

That will allow Kerberos authentications but will not allow the winbind caching of user credentials as far as Kerberos and Winbind are concerned.

From a command line, stop the relevant services with: rcsmb stop and rcnmb stop.
Then start them up again with similar commands: rcnmb start  and rcsmb start.

Cause

Here is what the man page says about these Kerberos settings:

krb5_auth

pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller. Kerberos authentication must be enabled with this parameter. When Kerberos authentication can not succeed (e.g. due to clock skew), winbindd will fallback to samlogon authentication over MSRPC. When this parameter is used in conjunction with winbind refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) uptodate by refreshing it whenever necessary.

krb5_ccache_type=[type]

When pam_winbind is configured to try kerberos authentication by enabling the krb5_auth option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache. The type of credential cache can be set with this option. Currently the only supported value is: FILE. In that case a credential cache in the form of /tmp/krb5cc_UID will be created, where UID is replaced with the numeric user id. Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded.

cached_login

Winbind allows to logon using cached credentials when winbind offline logon is enabled. To use this feature from the PAM module this option must be set.

Here is what the man page says about the related smb.conf settings:

 # /etc/samba/smb.conf

[global]

     winbind offline logon = yes

     winbind refresh tickets = yes

 

winbind refresh tickets (G)

This parameter is designed to control whether Winbind should refresh Kerberos Tickets retrieved using the pam_winbind module.

Default: winbind refresh tickets = false

Example: winbind refresh tickets = true

winbind offline logon (G)

This parameter is designed to control whether Winbind should allow to login with the pam_winbind module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache.

Default: winbind offline logon = false

Example: winbind offline logon = true

Setting the above mentioned Kerberos and Samba/winbind settings back to their default values disables the caching of credentials and avoids this problem.

Additional Information

Note: Running "yast samba-client" (Windows Domain Membership) will overwrite those settings, please create backup of these files or re-add them afterwards.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017990
  • Creation Date: 26-Aug-2016
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.