🟡 Medium   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: CentOS Stream 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

pam_faillock locks out service accounts on CentOS Stream 10 disrupts services and slows incident response until the root cause is resolved.

Environment & Reproduction

Service account locked out repeatedly because faillock counts failed sudo attempts.

faillock --user 
cat /etc/security/faillock.conf

Root Cause Analysis

Misalignment between auth configuration and CentOS Stream 10 defaults causes the failure path described above.

Quick Triage

Confirm package state, service status, and recent changes before deeper diagnostics.

systemctl status
rpm -qa | grep -i 
journalctl -p err -b --no-pager | tail -100

Step-by-Step Diagnosis

Capture detailed logs, configuration deltas, and runtime state to isolate the failing component.

faillock --user 
grep faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
journalctl -t sudo -n 100
Illustrative mockup for centos-stream-10 — auth_pam_faillock_diagnostics
Diagnostics for auth/pam-faillock on CentOS Stream 10 — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Apply the targeted configuration change and restart the relevant services to restore expected behavior.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo faillock --user  --reset
sudo authselect select sssd with-faillock --force
sudo sed -i 's/^# deny =.*/deny = 10/' /etc/security/faillock.conf
Illustrative mockup for centos-stream-10 — auth_pam_faillock_fix_results
Fix verification for auth/pam-faillock on CentOS Stream 10 — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Exempt automation accounts via even_deny_root no_magic_root tuning.

Verification & Acceptance Criteria

Validate the fix with deterministic checks and ensure no regressions in dependent services.

faillock --user 
sudo -u  id

Rollback Plan

Revert configuration and restart services to return to the previous known-good state.

authselect select minimal --force
faillock --user  --reset

Prevention & Hardening

Whitelist robotic accounts and monitor faillock counters.

Related: faillock, authselect, PAM stack; see also adjacent topics in the CentOS Stream 10 common problems series.

Related tutorial: View the step-by-step tutorial for centos-stream-10.

View all centos-stream-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

CentOS Stream documentation, Red Hat upstream guides, and CentOS Stream 10 release notes covering this subsystem.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.