-
Title
AIX - "mapped user" mode and local account lockout settings -
Description
Mapped users are locked out due to too many incorrect password attempts.
-
Cause
When an incorrect password is entered during a login attempt, the local password counter is incremented as well as the AD users login counter. This is OS behavior, and is not configurable in QAS.
This may cause a problem depending on the service that is used to login.
- If you are SU'ing to the user, then you will likely still get access to the user account.
"su" does not appear to make any local account checks for a mapped user (such as "account locked" or "too many incorrect password attempts")
- If using "ssh" then you will likely be denied access to the mapped user if the local account is locked, or of the "incorrect password counter" exceeds the allowed limit. This is due to "sshd" checking these local policies regardless of the "SYSTEM" that the user is configured to use. -
Resolution
RESOLUTION 1:
You could disable the local incorrect password counter for all local accounts by modifying the /etc/security/user file and changing the following option:
default:
loginretries = 0
RESOLUTION 2:
When the user inputs a correct password then both counters are reset to 0 (both local and AD). If the local policy is changed to a higher value than AD then the user will likely be locked out of AD before hitting the local policy. This might be considered more desirable behaviour.
RESOLUTION 3:
Modify the policy for each mapped user in the /etc/security/user file. This has the advantage of keeping any existing local policies for real local accounts, whilst changing the behaviour for only AD mapped accounts. The downside is that this is hard to maintain, and is not easily automated.