Обсуждение: Postgresql & PAM & AD
Hi,
We recently upgraded to 8.3.9 (from 8.3.6) because we were having the issue described in the fix below. Our postgres user and other domain users with pam authentication were getting locked out, in accords with our group domain policy 10 failed login attemps in 30 minutes. I included some information about our environment below. Sadly, after the upgrade to 8.3.9, we are still experiencing this issue. Has any one else reported this issue still exists, after the 8.3.9 fix below?
Thanks in advance,
So far, we have only migratated 1 of 3 linux/postgresql servers from using openldap to now using active directory. We'd like to move the other 2 to production, once we solve this issue. It's a random issue. Some domain users don't have the problem of getting locked out and some do, even though everyone is putting in their right password. We made the postgres user md5 to put a patch on things for now, but we still have at least 2 users getting locked out pretty often.
Maybe the best thing is to switch to gssapi authentication instead of PAM. Does anyone have any suggestions or experience with this?
~DjK
##
Fix PAM password processing to be more robust (Tom) The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
##
Linux and AD
The AD is running at a domain functional level of Windows Server 2003, however the schema is updated to Windows Server 2008.
Linux OS: SLES 9 sp4
2.6.5-7.308-smp #1 SMP Mon Dec 10 11:36:40 UTC 2007 x86_64 x86_64 x86_64 GNU/Linux
## PAM -- postgres
auth required pam_unix2.so nullok
account required pam_unix2.so
## nsswitch.conf --
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
passwd_compat: ldap
group_compat: ldap
Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now.