-
Title
Sudo issues with pam tally -
Description
When using Sudo with an Active Directory account the pam_tally file will register a failed logon attempt even if you use the correct password for the account and if you use a bad password it registers 2 failed attempts.
1) Failed sudo causes counter to be incremented by two
2) Successful sudo does not reset counter
3) Successful sudo increments counter by one -
Resolution
Place the pam_tally entries in system-auth at the top:
E.g.:
auth required pam_tally.so deny=3
auth required pam_env.so
#auth required pam_tally.so onerr=fail per_user deny=3
auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass
auth requisite pam_vas3.so echo_return
auth sufficient pam_unix.so nullok try_first_pass use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soaccount required pam_tally.so
account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account required pam_unix.so
#account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.soFixed4.0.2.283
Bug 24297