You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The pbis.sls leverages the PBIS domainjoin-cli utility to do the heavy-lifting surrounding joining the client to the domain. However, the domainjoin-cli utility (through at least PBIS 8.3.0) defaults to inserting pam_lsass modules late in the /etc/pam.d/password-auth stack. When the pam_faillock modules are present ahead of the pam_lsass modules and a PBIS user attempts to perform password-based authentication, the pam_faillock modules abort the PAM-call before the pam_lsass modules may be referenced. This results in PBIS users only being able to do non-PAM authentications (SSH key, GSSAPI tokens, etc.)
The text was updated successfully, but these errors were encountered:
The
pbis.sls
leverages the PBISdomainjoin-cli
utility to do the heavy-lifting surrounding joining the client to the domain. However, thedomainjoin-cli
utility (through at least PBIS 8.3.0) defaults to inserting pam_lsass modules late in the/etc/pam.d/password-auth
stack. When thepam_faillock
modules are present ahead of thepam_lsass
modules and a PBIS user attempts to perform password-based authentication, thepam_faillock
modules abort the PAM-call before thepam_lsass
modules may be referenced. This results in PBIS users only being able to do non-PAM authentications (SSH key, GSSAPI tokens, etc.)The text was updated successfully, but these errors were encountered: