Return
-
Title
How do I configure RHEL 8 faillock to work with local users or local and AD users? -
Description
Is it possible to configure faillock to work with local users while Authentication Services is in use?Is it possible to configure faillock to work with local and Active Directory users while Authentication Services is in use? -
Resolution
Both are possible but require different configurations.NOTE - This is an example only to get started but is expected to work. Different configurations or other specific needs will require PSO.Assistance configuring /etc/security/faillock.conf will require PSO or should be sought via Redhat support.IMPORTANT - For both configurations backup the following files:/usr/share/authselect/vendor/AuthenticationServices/system-auth/usr/share/authselect/vendor/AuthenticationServices/password-authRESOLUTION #1Enforcing faillock for local users only.You will need to make the same edits in both of the files you backed up:/usr/share/authselect/vendor/AuthenticationServices/system-auth/usr/share/authselect/vendor/AuthenticationServices/password-authIn both files noted above, you will need to replace the "auth" and "account" sections with the lines below.auth required pam_env.soauth sufficient pam_vas3.so create_homedir get_nonvas_pass {if "with-debug":debug trace}auth requisite pam_vas3.so echo_return {if "with-debug":debug trace}auth required pam_faillock.so preauth silent {include if "with-faillock"}auth sufficient pam_unix.so nullok use_first_passauth required pam_faillock.so authfail {include if "with-faillock"}auth required pam_deny.soaccount required pam_faillock.so {include if "with-faillock"}account sufficient pam_vas3.so {if "with-debug":debug trace}account requisite pam_vas3.so echo_returnaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid <account required pam_permit.soOnce edited correctly run;# authselect select AuthenticationServices --forceNow the configuration is in place but still needs to be enabled.# authselect enable-feature with-faillockIt should now be enabled for local users.To undo this configuration perform the following steps.1) # authselect disable-feature with-faillock2) Restore the backups to the files:/usr/share/authselect/vendor/AuthenticationServices/system-auth/usr/share/authselect/vendor/AuthenticationServices/password-auth3) # authselect select AuthenticationServices --forceRESOLUTION #2Enforcing faillock for local users and Active Directory users.NOTE - This will NOT disable Active Directory lockout policies. All AD users are processed via Active Directory and are subject to those rules.You will need to make the same edits in both of the files you backed up:/usr/share/authselect/vendor/AuthenticationServices/system-auth/usr/share/authselect/vendor/AuthenticationServices/password-authIn both files noted above, you will need to replace the "auth" and "account" sections with the lines below.auth required pam_env.soauth required pam_faillock.so preauth silent {include if "with-faillock"}auth sufficient pam_vas3.so create_homedir get_nonvas_pass {if "with-debug":debug trace}auth required pam_faillock.so authfail {include if "with-faillock"}auth requisite pam_vas3.so echo_return {if "with-debug":debug trace}auth sufficient pam_unix.so nullok use_first_passauth required pam_deny.soaccount required pam_faillock.so {include if "with-faillock"}account sufficient pam_vas3.so {if "with-debug":debug trace}account requisite pam_vas3.so echo_returnaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid <account required pam_permit.soOnce edited correctly run;# authselect select AuthenticationServices --forceNow the configuration is in place but still needs to be enabled.# authselect enable-feature with-faillockIt should now be enabled for local users.To undo this configuration perform the following steps.1) # authselect disable-feature with-faillock2) Restore the backups to the files:/usr/share/authselect/vendor/AuthenticationServices/system-auth/usr/share/authselect/vendor/AuthenticationServices/password-auth3) # authselect select AuthenticationServices --force