Linux authentication to AD causing lockout on single failure

I am trying to set up a Linux box (specifically Centos 6) to authenticate users via our Windows AD. The authentication works fine. The problem: Our password lockout policy is 3 strikes and you're locked. If a user logging into the Linux host enters their password wrong just once, their account gets locked.

Here is my /etc/pam.d/system-auth file:

%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account [default=ignore success=1] pam_succeed_if.so uid < 16777216 quiet
# only allow login if user is in group serveradmins
account [default=bad success=ignore] pam_succeed_if.so user ingroup serveradmins quiet
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Here are the log entries captured in /var/log/secure when a user tried to log in and gave the wrong password on the first try. For the sake of brevity, I've stripped off the datetime and hostname from the start of the log entries:

sshd[1589]: Connection from 22.33.44.55 port 49532
sshd[1589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host0001.foo.bar  user=gumby
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2

What in this configuration is causing the authentication module to try multiple times and how might we change it to make it not do that?

Thanks.

So this is an old post but might save a few people several days of troubleshooting.

Although sometimes the simplest of answers are usually the rights ones, in the case of migrations you should always check routes, firewall and DNS entries to be the same and ntp synchronized.

Short background: Problems started when it was decided to migrate the old DC to new versions (Windows Server 2008 -> Windows server 2016). Our Linux environment consisted of Rhel 5, 6 and 7 systems joined in AD through Samba, Winbind.

By default, Windows Server 2016 has disabled SMBv1, this means that all Rhel 5 and 6 systems were failing to communicate with the new DC's, for reference: https://access.redhat.com/articles/3164551

This can be resolved by enabling this role on the DC (and you understand the consequences of enabling a 30 year old protocol):

SMBv1

In case the pic is no longer available (action on DC): Add roles and features -> Features -> SMB 1.0/CIFS File Sharing Support -> check.

Note: you need to reboot after enabling this.

Everything was running smoothly after that change, or so it seemed.

I also stumbled upon this particular error, from the servers (Rhel 5) logs:

Oct 27 09:06:58 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): getting password (0x00000050)
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): user 'some_user' denied access (incorrect password or invalid membership)
Oct 27 09:07:09 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2

And I also could not authenticate with my own account so I migrated to samba3x, reference( I did not do all the steps): https://access.redhat.com/solutions/42635

For those who might not have an account, these are the steps I took:

Backup original config files (you will need your smb.conf):

tar cf /root/backup_samba_migration.tar /etc/samba /var/cache/samba /var/lib/samba

Stop services:

service smb stop; service winbind stop

Remove samba and install samba3x:

yum remove samba samba-common -y
yum install samba3x* -y

This is where you put your old smb.conf:

vim /etc/samba/smb.conf

You should also copy pam_winbind.conf (we used required_membership parameter for example):

\cp /etc/security/pam_winbind.conf.rpmsave /etc/security/pam_winbind.conf

In my case I needed to rejoin the domain (you might not need to use createcomputer):

net ads join -U youradminaccount createcomputer="Linux system"

Restart services:

service smb restart; service winbind restart

Test (before this authentication would give direct failed password):

wbinfo -t
wbinfo -a youradminaccount

Hope it helps, have a good one!