Bug 1304374

Summary: Pam stack is not properly configured for sssd
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: abokovoy, jhrozek, jlieskov, lslebodn, pbrezina, preichl, rharwood, sbose, ssorce, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-03 13:40:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
patch for upstream none

Description Lukas Slebodnik 2016-02-03 12:44:24 UTC 
Description of problem:
I tried to configure my machine with my custom sssd.conf.
I used authconfig to configure pam stack. (sss is already in nsswitch.conf)

sh# authconfig --enablesssd --enablesssdauth --update


Version-Release number of selected component (if applicable):
authconfig-6.2.10-6.fc22.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. authconfig --enablesssd --enablesssdauth --update

grep -E "pam_(sss|unix)" /etc/pam.d/system-auth
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so forward_pass
account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
session     required      pam_unix.so
session     optional      pam_sss.so

Actual results:
sh# grep -E "account.*pam_unix" /etc/pam.d/system-auth
account     required      pam_unix.so

Expected results:
grep -E "account.*pam_unix" /etc/pam.d/system-auth
account     required      pam_unix.so  broken_shadow
Comment 1 Lukas Slebodnik 2016-02-03 12:47:45 UTC 
Created attachment 1120774 [details]
patch for upstream

Attached patch should fix the issue.
Comment 2 Tomas Mraz 2016-02-03 12:51:21 UTC 
I do not think what you propose is a correct configuration. At least before the account calls to pam_unix were working fine without the broken_shadow option.

What does 'getent passwd <remote-account-name>' return for you?
Comment 3 Lukas Slebodnik 2016-02-03 13:03:53 UTC 
sh$ getent passwd -s sss lslebodn
lslebodn:x:20728:20728:Lukas Slebodnik:/home/lslebodn:/bin/bash

sh$ grep -E "pam_(sss|unix)" /etc/pam.d/password-auth
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so forward_pass
account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
session     required      pam_unix.so
session     optional      pam_sss.so


sh$ ssh -l lslebodn localhost
lslebodn@localhost's password: 
Connection closed by ::1


And here is related part of log file
Feb 03 13:57:56 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=lslebodn
Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=success'
Feb 03 13:58:02 host.example.test unix_chkpwd[26342]: could not obtain user info (lslebodn)
Feb 03 13:58:02 host.example.test audit[26339]: USER_ACCT pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: Failed password for lslebodn from ::1 port 41440 ssh2
Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: fatal: Access denied for user lslebodn by PAM account configuration [preauth]


As you can see authentication passed with sssd. There is just issue with account.

If works fine If I comment out "account     required      pam_unix.so" or if I add broken_shadow to this line.

BTW I did not call authconfig with --enableldapauth or --enablekrb5.
Comment 4 Tomas Mraz 2016-02-03 13:06:51 UTC 
The problem is with the x in the passwd entry. SSSD should never put x there if it does not return proper shadow entry. And I suppose it does not do it in normal scenarios.

Reassigning to SSSD for further investigation.
Comment 5 Lukas Slebodnik 2016-02-03 13:40:21 UTC 
Ahh,

I had configured option in sssd.conf which changed the default '*' to the 'x' for testing purposes. I had to comment out this line as part of other changes
when I moved configuration from one machine to another.

sh# wc -l /etc/sssd/sssd.conf
113 /etc/sssd/sssd.conf

It works well after changing to the default (removing line from sssd.conf).