When modifying /etc/pam.d/common-* files for Active Directory integration, testing methodology is crucial because:
- PAM (Pluggable Authentication Modules) changes affect all services using authentication
- Configuration errors can lock you out of the system
- Changes take effect immediately - no service restart required
# Step 1: Always backup current configs
sudo cp /etc/pam.d/common-account /etc/pam.d/common-account.bak
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
sudo cp /etc/pam.d/common-session /etc/pam.d/common-session.bakFor AD integration testing, maintain multiple access methods:
- Keep two active SSH sessions open
- Have console access (physical or virtual)
- Test changes in this order:
common-sessioncommon-accountcommon-authcommon-password
Create a test script to verify basic functionality:
#!/bin/bash
# pam_test_script.sh
# Test local user auth
echo "Testing local user authentication:"
su - localuser -c "echo 'Local auth successful'"
# Test AD user auth (if configured)
if [ -f "/etc/krb5.keytab" ]; then
echo "Testing AD user authentication:"
kinit AD_USERNAME@DOMAIN.COM
klist
fi
# Test sudo functionality
echo "Testing sudo privileges:"
sudo -k # clear credentials
sudo -lFor comprehensive testing:
# Check PAM stack processing
sudo pam-auth-update --verbose
# Test specific services
sshd_pam_test() {
ssh -vvv localhost "echo SSH PAM test successful"
}
# Verify session handling
last | head -10
who -a- Never test on production first - your VM approach is correct
- Avoid modifying all
common-*files simultaneously - Don't rely solely on SSH for testing - maintain console access
- Watch for cached credentials that might mask problems
Before deploying to metal:
# Validate all PAM configurations
for file in /etc/pam.d/*; do
echo "Checking $file:"
pam_parser -f $file || echo "Error in $file"
done
# Verify AD connectivity
realm list
getent passwd | grep DOMAIN\\When modifying /etc/pam.d/common-* files for Active Directory integration, it's crucial to understand these files serve as centralized authentication templates included by other service-specific PAM configurations. Unlike individual service files in /etc/pam.d/, changes to common files affect multiple services simultaneously.
Instead of blindly restarting services, follow this systematic approach:
# 1. First, backup current configurations
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
sudo cp /etc/pam.d/common-account /etc/pam.d/common-account.bak
sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
sudo cp /etc/pam.d/common-session /etc/pam.d/common-session.bak
# 2. Verify syntax before applying changes
for file in common-auth common-account common-password common-session; do
pam_parser /etc/pam.d/$file || echo "Error in $file"
done
Rather than testing every service, focus on these key services when integrating with AD:
- SSH:
sudo sshd -t(config test) then actual login attempt - Console login: Open new terminal session or switch to another TTY
- sudo:
sudo -kto clear cached credentials before testing
Create a test script to validate authentication flows:
#!/bin/bash
# pam_test_ad.sh - Validate AD authentication
USER="testuser@domain"
PASS="testpass"
echo "Testing common-auth..."
echo -e "$PASS" | pam_exec -D -a "su - $USER" /bin/true
echo "Testing sudo..."
echo -e "$PASS" | sudo -S -u $USER whoami
Enable detailed logging when troubleshooting:
# Add to relevant common-* files:
auth debug syslog
account debug syslog
session debug syslog
Monitor logs in real-time: sudo tail -f /var/log/auth.log
Always prepare for quick rollback:
# Single command to restore original configs
sudo sh -c 'for f in common-*; do cp "$f.bak" "$f"; done'