For some reason, some of my servers have been having trouble with AD authentication. The symptoms were: when logging into the console using an AD enabled account (i.e. an account that should be authenticated by AD), despite providing the correct password the system will return password incorrect. Upon providing the username again, the user is immediately granted access without having to provide a password.
I’m not sure about the provide-once-denied-provide-name-authorized behavior, but after some testing I discovered that the reason that it’s not letting the user in the first time is because the lines for pam_unix and pam_kerberos (pam_krb5 to be exact) in /etc/pam.d/system-auth are reversed. It should have pam_unix before pam_kerberos. I have no clue what is causing these lines to be reversed in the configuration file. I’m configuring all of the authentication and security measures using the
esxcfg-... commands so it seems weird that starting with the blade servers this behavior has been exhibited.
Anyway, the fix files: one bash, one awk…