-
Title
Account locked - Too many incorrect password attempts / User account has expired -
Description
Common Question?
"It appears this is from pam_vas compared with RHLE. Why does it need pam_vas: Authentication if a Kerberos ticket is used ( Accepted gssapi-with-mic )?"
And the following Error could be seen:
sshd[52459]: pam_vas: Authentication <failed passwordless> for <Active Directory> user: <x> account: <x> service: <sshd> reason: <Account locked - Too many incorrect password attempts.>sshd[19727798]: error: PAM: User account has expired for user1 from 10.10.10.10
-
Cause
The attempts to access the account that are triggering the account to be locked are not coming through SAS. The expired message is also coming from AD.
-
Resolution
SAS is just enforcing the account status in AD. Since VAS is returning user information, that includes access control and account control, if the system has a ticket, but AD says the account is locked, we still tell the OS the account is locked.
PAM is checked for both authentication and authorization. GSS gets past using VAS for authentication, but when sshd asks pam_vas if the user should be authorized, we return the information from AD saying the account is locked.
SAS adheres to the password policies in AD as they are AD users. SAS has no built in ability to lock or expire accounts.
There is no way to know from One Identity or SAS side to know what locked it, and there are no messages that show that VAS locked the account.