Applies to: All versions of Centrify DirectControl
How to monitor local account login failures using pam_tally on a server with Centrify agent installed?
The latest releases of Linux PAM includes a module called pam_tally which rejects a user if the user failed to login too many times. Although this functionality is not coordinated with Windows domain policy settings, the use of pam_tally may add value for local account logins.
If the requirement is to monitor local account login failures then place pam_tally after the Centrify lines:
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
account sufficient pam_centrifydc.so
account requisite pam_centrifydc.so deny
session required pam_centrifydc.so homedir
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny
auth required /lib/security/$ISA/pam_tally.so per_user deny=3 onerr-fail
account required /lib/security/$ISA/pam_tally.so
Placing pam_tally auth and account after the Centrify lines means that an AD user login failure will not be recorded. Only a local user who falls through all Centrify checking will come to this pam_tally logic.