| Summary: | Fix for #1204864 breaks some PAM configs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ade Rixon <ade.rixon> |
| Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | pkis |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-11 08:15:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Authconfig is not supposed to work for any special possible configuration that can be invented. I'm sorry but authconfig will not be modified to accommodate for your setup and you will have to modify the PAM configuration to suit your needs manually. Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. |
Description of problem: In #1204864, authconfig was modified to change the PAM configuration when sssd was used so that only local users would be authenticated with pam_unix and only network users would be authenticated with sssd. However, we have a configuration in which user accounts are defined locally (in passwd) but passwords are authenticated against LDAP via sssd (i.e. in nsswitch.conf, sss lookup is enabled for shadow only, not passwd). This prevents any LDAP account from logging in, limiting it to only those with matching local accounts while retaining centralised password control. The fix for #1204864 changes the control value for pam_unix from "sufficient" to "[success=done ignore=ignore default=die]", which appears to be equivalent to "requisite" in the legacy syntax. Hence pam_localuser detects that our users are local but when pam_unix fails to authenticate them (since they don't have a valid password locally, only in LDAP), the module aborts rather than proceeding to try pam_sss as before. Version-Release number of selected component (if applicable): 6.2.8-10 How reproducible: Our authentication setup is via: /usr/sbin/authconfig --disableforcelegacy --enableldap --enableldapauth --ldapserver={{ ldap_uri }} --ldapbasedn={{ ldap_basedn }} --enableldaptls --enableldapstarttls --ldaploadcacert=file://{{ ldap_cacert_path }} --disablefingerprint --enableshadow --enablelocauthorize --update The nsswitch.conf file is then edited to remove 'sss' from the passwd and group databases. Steps to Reproduce: 1. Configure LDAP authentication via sssd as above using latest authconfig. 2. Attempt to login with password authentication or use sudo, etc. 3. Actual results: Authentication fails with "Permission denied". Expected results: Authentication succeeds using LDAP password. Additional info: This configuration worked with authconfig prior to the above release (bar a spurious 'authentication failed' error from pam_unix prior to pam_sss succeeding). Changing the pam_unix control back to "sufficient" allows it to work again (but may have other undesirable effects?).