--_24a0c3fe-f7da-4faa-bfbf-e2eba3ebc87f_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Hi=2C
We recently upgraded to 8.3.9 (from 8.3.6) because we were having the issue=
described in the fix below. Our postgres user and other domain users with =
pam authentication were getting locked out=2C in accords with our group dom=
ain policy 10 failed login attemps in 30 minutes. I included some informati=
on about our environment below. Sadly=2C after the upgrade to 8.3.9=2C we=
are still experiencing this issue. Has any one else reported this issue st=
ill exists=2C after the 8.3.9 fix below?
Thanks in advance=2C
So far=2C we have only migratated 1 of 3 linux/postgresql servers from usin=
g openldap to now using active directory. We'd like to move the other 2 to=
production=2C once we solve this issue. It's a random issue. Some domain=
users don't have the problem of getting locked out and some do=2C even tho=
ugh everyone is putting in their right password. We made the postgres use=
r md5 to put a patch on things for now=2C but we still have at least 2 user=
s getting locked out pretty often.
Maybe the best thing is to switch to gssapi authentication instead of PAM. =
Does anyone have any suggestions or experience with this?
~DjK
##
Fix PAM password processing to be more robust (Tom) The previous code is kn=
own to fail with the combination of the Linux pam_krb5 PAM module with Micr=
osoft Active Directory as the domain controller. It might have problems els=
ewhere too=2C since it was making unjustified assumptions about what argume=
nts the PAM stack would pass to it.
##
Linux and AD
The AD is running at a domain functional level of Windows Server 2003=2C ho=
wever the schema is updated to Windows Server 2008.
Linux OS: SLES 9 sp4
2.6.5-7.308-smp #1 SMP Mon Dec 10 11:36:40 UTC 2007 x86_64 x86_64 x86_64 GN=
U/Linux
## PAM -- postgres
auth required pam_unix2.so nullok
account required pam_unix2.so
## nsswitch.conf --
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
passwd_compat: ldap
group_compat: ldap
____________________________________________________________ _____
Hotmail: Trusted email with Microsoft=92s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/201469226/direct/01/=
--_24a0c3fe-f7da-4faa-bfbf-e2eba3ebc87f_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
..hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
<SPAN lang=3DEN></SPAN> =3B<BR>
<SPAN lang=3DEN></SPAN> =3B<BR>
<SPAN lang=3DEN></SPAN><SPAN lang=3DEN></SPAN><SPAN lang=3DEN></SPAN><SPAN =
lang=3DEN></SPAN><SPAN lang=3DEN></SPAN><SPAN lang=3DEN></SPAN><SPAN lang=
=3DEN></SPAN> =3B<BR>
<SPAN lang=3DEN></SPAN> =3B<BR>
<SPAN lang=3DEN></SPAN> =3B<BR>
<SPAN lang=3DEN>Hi=2C <BR>We recently upgraded =3Bto 8.3.9 (from 8.3.6)=
because we were having the issue described in the fix below. Our postgres =
user and other domain users with pam authentication were getting locked out=
=2C in accords with our group domain policy 10 failed login attemps in 30 m=
inutes. I included some information about our environment below. =3B&nb=
sp=3B Sadly=2C after the upgrade to 8.3.9=2C we are still experiencing this=
issue. Has any one else reported this issue still exists=2C after the 8.3.=
9 fix below?<BR>Thanks in advance=2C</SPAN><BR>
<SPAN lang=3DEN> =3B<BR>
<SPAN lang=3DEN>So far=2C we have only migratated =3B1 of =3B3 linu=
x/postgresql servers =3Bfrom using openldap to now using active directo=
ry. =3B We'd like to move the other 2 to production=2C once we solve th=
is issue. =3B =3BIt's a random issue. =3B Some domain users don=
't have the problem of getting locked out and some do=2C even though everyo=
ne is putting in their right password. =3B =3B We made the postgres=
user md5 to put a patch on things for now=2C but we still have at least 2 =
users getting locked out pretty often.</SPAN><BR>
<SPAN lang=3DEN></SPAN> =3B<BR>
<SPAN lang=3DEN>Maybe the best thing is to switch to gssapi authentication =
instead of PAM. =3B Does anyone have any suggestions or experience with=
this?</SPAN><BR>
<BR>~DjK<BR> =3B<BR>##<BR>Fix PAM password processing to be more robust=
(Tom) The previous code is known to fail with the combination of the Linux=
pam_krb5 PAM module with Microsoft Active Directory as the domain controll=
er. It might have problems elsewhere too=2C since it was making unjustified=
assumptions about what arguments the PAM stack would pass to it. <BR> =
=3B<BR>##<BR>Linux and AD <BR>The AD is running at a domain functional leve=
l of Windows Server 2003=2C however the schema is updated to Windows Server=
2008.<BR>Linux OS: SLES 9 sp4<BR>2.6.5-7.308-smp #1 SMP Mon Dec 10 11:36:4=
0 UTC 2007 x86_64 x86_64 x86_64 GNU/Linux<BR> =3B<BR>## PAM -- postgres=
<BR>auth required pam_unix2.so nullok<BR>account required pam_unix2.so<BR>&=
nbsp=3B<BR>## nsswitch.conf -- <BR>passwd: compat<BR>group: compat<BR>hosts=
: files dns<BR>networks: files dns<BR>services: files<BR>protocols: files<B=
R>rpc: files<BR>ethers: files<BR>netmasks: files<BR>netgroup: files<BR>publ=
ickey: files<BR>bootparams: files<BR>automount: files nis<BR>aliases: files=
<BR>passwd_compat: ldap<BR>group_compat: ldap<BR><BR></SPAN> <br=
/><hr />Hotmail: Trusted email with Microsoft=92s powerful SPAM protection=
.. <a href=3D'http://clk.atdmt.com/GBL/go/201469226/direct/01/' target=3D'_n=
ew'>Sign up now.</a></body>
</html>=
--_24a0c3fe-f7da-4faa-bfbf-e2eba3ebc87f_--
