Bug 1650314
Summary: | authconfig --enablerequiresmartcard breaks cron | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Orion Poplawski <orion> | |
Component: | cronie | Assignee: | Marcel Plch <mplch> | |
Status: | CLOSED ERRATA | QA Contact: | Jan Houska <jhouska> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.6 | CC: | hhorak, jhouska, pbrezina, pvoborni, sbose, vdanek | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | 1.4.11-22 | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1656825 (view as bug list) | Environment: | ||
Last Closed: | 2019-08-06 12:35:18 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Orion Poplawski
2018-11-15 20:23:28 UTC
Perhaps cronie should be using system-auth instead of password-auth? That seems to fix it. The reason for the failure is that although cronie does not call pam_authenticate() is calls pam_setcred() which uses the 'auth' type configuration as well. I agree that system-auth might be better suited for cronie because in general it is expected that if Smartcard authentication is required there will be a pam_deny in the password-auth configuration. However in the given case where authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall is called there should be a message like: authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored. But pam_deny is still added in password-auth. I think this might because some patch might not be applied correctly. While the git repository https://pagure.io/authconfig/blob/master/f/authinfo.py#_3832 only has: (enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or (enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or (enableFprintd and module[NAME] == "fprintd") or there is an extra line in the installed version in RHEL-7.6: (enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or (enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or (enableSmartcard and forceSmartcard and module[NAME] == "deny") or (enableFprintd and module[NAME] == "fprintd") or which is responsible for the unexpected pam_deny in password-auth. It looks that there are two issues: 1) Authconfig does not really ignore --enablerequiresmartcard when sssd module is used even though the message is presented: # authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored. authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly. [root@kvm-guest-01 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_deny.so ... 2) However the same problem with cron applies to pkcs11 module which supports requiresmartcard: # authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=pkcs11 --smartcardaction=0 --enablerequiresmartcard --updateall We should split this in two bugs, one for authconfig to actually ignore the requiresmartcard option for sssd module and one for cronie to use system-auth instead of password auth. Authconfig bug: https://bugzilla.redhat.com/show_bug.cgi?id=1656825 VERIFIED OLD FAIL: cronie-1.4.11-20.el7_6 :: [ 13:59:42 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0) Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-06-20 13:58:51 EDT; 50s ago Main PID: 29444 (crond) CGroup: /system.slice/crond.service └─29444 /usr/sbin/crond -n Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 28% if used.) Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (running with inotify support) Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Redirecting to /bin/systemctl stop crond.service Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2019-06-20 13:59:42 EDT; 2s ago Process: 29444 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS) Main PID: 29444 (code=exited, status=0/SUCCESS) Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 28% if used.) Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (running with inotify support) Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Jun 20 13:59:42 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler... Jun 20 13:59:42 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler. Redirecting to /bin/systemctl start crond.service :: [ 13:59:44 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully :: [ 14:00:25 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron.log.30' :: [ 14:00:25 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron.log.30' (Expected 0, got 0) :: [ 14:00:25 ] :: [ PASS ] :: File 'cron.log.30' should not contain '(root) PAM ERROR (Failure setting user credentials)' :: [ 14:00:25 ] :: [ PASS ] :: File 'cron.log.30' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' :: [ 14:00:25 ] :: [ BEGIN ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' authconfig: Authentication module /usr/lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly. authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly. :: [ 14:00:33 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0) Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-06-20 13:59:44 EDT; 49s ago Main PID: 29639 (crond) CGroup: /system.slice/crond.service └─29639 /usr/sbin/crond -n Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 12% if used.) Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (running with inotify support) Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Redirecting to /bin/systemctl stop crond.service Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2019-06-20 14:00:33 EDT; 2s ago Process: 29639 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS) Main PID: 29639 (code=exited, status=0/SUCCESS) Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 12% if used.) Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (running with inotify support) Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Jun 20 14:00:33 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler... Jun 20 14:00:33 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler. Redirecting to /bin/systemctl start crond.service :: [ 14:00:35 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully :: [ 14:01:16 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron2.log.30' :: [ 14:01:16 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron2.log.30' (Expected 0, got 0) :: [ 14:01:16 ] :: [ FAIL ] :: File 'cron2.log.30' should not contain '(root) PAM ERROR (Failure setting user credentials)' :: [ 14:01:17 ] :: [ FAIL ] :: File 'cron2.log.30' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' :: [ 14:01:17 ] :: [ LOG ] :: Closing loop - FAIL detected!!! :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3184s :: Assertions: 246 good, 2 bad :: RESULT: FAIL NEW PASS: cronie-1.4.11-23.el7 :: [ 16:59:04 ] :: [ BEGIN ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall' authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored. authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly. :: [ 16:59:13 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0) Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-06-20 16:58:23 EDT; 50s ago Main PID: 7265 (crond) CGroup: /system.slice/crond.service └─7265 /usr/sbin/crond -n Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 58% if used.) Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (running with inotify support) Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Redirecting to /bin/systemctl stop crond.service Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2019-06-20 16:59:13 EDT; 2s ago Process: 7265 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS) Main PID: 7265 (code=exited, status=0/SUCCESS) Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 58% if used.) Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (running with inotify support) Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Jun 20 16:59:13 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler... Jun 20 16:59:13 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler. Redirecting to /bin/systemctl start crond.service :: [ 16:59:15 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully :: [ 16:59:56 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron.log.100' :: [ 16:59:56 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron.log.100' (Expected 0, got 0) :: [ 16:59:56 ] :: [ PASS ] :: File 'cron.log.100' should not contain '(root) PAM ERROR (Failure setting user credentials)' :: [ 16:59:56 ] :: [ PASS ] :: File 'cron.log.100' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' :: [ 16:59:56 ] :: [ BEGIN ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' authconfig: Authentication module /usr/lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly. authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly. :: [ 17:00:06 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0) Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-06-20 16:59:15 EDT; 51s ago Main PID: 7471 (crond) CGroup: /system.slice/crond.service └─7471 /usr/sbin/crond -n Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 68% if used.) Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (running with inotify support) Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Redirecting to /bin/systemctl stop crond.service Redirecting to /bin/systemctl status crond.service ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2019-06-20 17:00:06 EDT; 2s ago Process: 7471 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS) Main PID: 7471 (code=exited, status=0/SUCCESS) Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler. Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 68% if used.) Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (running with inotify support) Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (@reboot jobs will be run at computer's startup.) Jun 20 17:00:06 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler... Jun 20 17:00:06 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler. Redirecting to /bin/systemctl start crond.service :: [ 17:00:08 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully :: [ 17:00:49 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron2.log.100' :: [ 17:00:49 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron2.log.100' (Expected 0, got 0) :: [ 17:00:49 ] :: [ PASS ] :: File 'cron2.log.100' should not contain '(root) PAM ERROR (Failure setting user credentials)' :: [ 17:00:49 ] :: [ PASS ] :: File 'cron2.log.100' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 10248s :: Assertions: 808 good, 0 bad :: RESULT: PASS Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2041 |