🟡 Medium   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: CentOS Stream 9

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

pam_faillock locks out service accounts on CentOS Stream 9 disrupts services and slows incident response until the root cause is resolved.

Environment & Reproduction

Service account locked out repeatedly because faillock counts failed sudo attempts.

faillock --user 
cat /etc/security/faillock.conf

Root Cause Analysis

Misalignment between auth configuration and CentOS Stream 9 defaults causes the failure path described above.

Quick Triage

Confirm package state, service status, and recent changes before deeper diagnostics.

systemctl status
rpm -qa | grep -i 
journalctl -p err -b --no-pager | tail -100

Step-by-Step Diagnosis

Capture detailed logs, configuration deltas, and runtime state to isolate the failing component.

faillock --user 
grep faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
journalctl -t sudo -n 100
Illustrative mockup for centos-stream-9 — auth_pam_faillock_diagnostics
Diagnostics for auth/pam-faillock on CentOS Stream 9 — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Apply the targeted configuration change and restart the relevant services to restore expected behavior.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo faillock --user  --reset
sudo authselect select sssd with-faillock --force
sudo sed -i 's/^# deny =.*/deny = 10/' /etc/security/faillock.conf
Illustrative mockup for centos-stream-9 — auth_pam_faillock_fix_results
Fix verification for auth/pam-faillock on CentOS Stream 9 — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Exempt automation accounts via even_deny_root no_magic_root tuning.

Verification & Acceptance Criteria

Validate the fix with deterministic checks and ensure no regressions in dependent services.

faillock --user 
sudo -u  id

Rollback Plan

Revert configuration and restart services to return to the previous known-good state.

authselect select minimal --force
faillock --user  --reset

Prevention & Hardening

Whitelist robotic accounts and monitor faillock counters.

Related: faillock, authselect, PAM stack; see also adjacent topics in the CentOS Stream 9 common problems series.

Related tutorial: View the step-by-step tutorial for centos-stream-9.

View all centos-stream-9 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

CentOS Stream documentation, Red Hat upstream guides, and CentOS Stream 9 release notes covering this subsystem.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.