Winbind issues lock out accounts when passwd is changed

Hi all,

We have some hosted servers for one of our customers running SLES 11 SP3 that I joined to our AD environment with Windows Domain Membership in yast. In addition to the basic setup, I configured /etc/pam.d/sshd to only allows users to ssh in if they have the correct AD group. For the most part, this works great. However, any time a user that’s signed into one of the servers previously changes their network password, all of the servers start reporting failed logons, even though the user isn’t actively trying to sign in. This then causes the users account to lockout every few minutes. Is something in the winbind or kerberos services trying to authenticate these users constantly? If so, how can I stop that from happening any more?

I’m not sure if this may be leading to the issue at hand, but all of these users are setup with Yubikey’s for two-factor authentication into the network. Instead of entering domain\username to sign in, they enter domain\ which is generated by the key. This then syncs up to their network account.

Thanks in advance,

Nathan

Demonic240,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team
http://forums.suse.com