Bug 1650314
| Summary: | authconfig --enablerequiresmartcard breaks cron | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Orion Poplawski <orion> | |
| Component: | cronie | Assignee: | Marcel Plch <mplch> | |
| Status: | CLOSED ERRATA | QA Contact: | Jan Houska <jhouska> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.6 | CC: | hhorak, jhouska, pbrezina, pvoborni, sbose, vdanek | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | 1.4.11-22 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1656825 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 12:35:18 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Orion Poplawski
2018-11-15 20:23:28 UTC
Perhaps cronie should be using system-auth instead of password-auth? That seems to fix it. The reason for the failure is that although cronie does not call pam_authenticate() is calls pam_setcred() which uses the 'auth' type configuration as well.
I agree that system-auth might be better suited for cronie because in general it is expected that if Smartcard authentication is required there will be a pam_deny in the password-auth configuration.
However in the given case where
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall
is called there should be a message like:
authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored.
But pam_deny is still added in password-auth.
I think this might because some patch might not be applied correctly. While the git repository https://pagure.io/authconfig/blob/master/f/authinfo.py#_3832 only has:
(enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or
(enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or
(enableFprintd and module[NAME] == "fprintd") or
there is an extra line in the installed version in RHEL-7.6:
(enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or
(enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or
(enableSmartcard and forceSmartcard and module[NAME] == "deny") or
(enableFprintd and module[NAME] == "fprintd") or
which is responsible for the unexpected pam_deny in password-auth.
It looks that there are two issues: 1) Authconfig does not really ignore --enablerequiresmartcard when sssd module is used even though the message is presented: # authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored. authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly. [root@kvm-guest-01 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_deny.so ... 2) However the same problem with cron applies to pkcs11 module which supports requiresmartcard: # authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=pkcs11 --smartcardaction=0 --enablerequiresmartcard --updateall We should split this in two bugs, one for authconfig to actually ignore the requiresmartcard option for sssd module and one for cronie to use system-auth instead of password auth. Authconfig bug: https://bugzilla.redhat.com/show_bug.cgi?id=1656825 VERIFIED
OLD FAIL:
cronie-1.4.11-20.el7_6
:: [ 13:59:42 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-06-20 13:58:51 EDT; 50s ago
Main PID: 29444 (crond)
CGroup: /system.slice/crond.service
└─29444 /usr/sbin/crond -n
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 28% if used.)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (running with inotify support)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2019-06-20 13:59:42 EDT; 2s ago
Process: 29444 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
Main PID: 29444 (code=exited, status=0/SUCCESS)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 28% if used.)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (running with inotify support)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 13:59:42 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 13:59:42 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 13:59:44 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully
:: [ 14:00:25 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron.log.30'
:: [ 14:00:25 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron.log.30' (Expected 0, got 0)
:: [ 14:00:25 ] :: [ PASS ] :: File 'cron.log.30' should not contain '(root) PAM ERROR (Failure setting user credentials)'
:: [ 14:00:25 ] :: [ PASS ] :: File 'cron.log.30' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)'
:: [ 14:00:25 ] :: [ BEGIN ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall'
authconfig: Authentication module /usr/lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly.
authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
:: [ 14:00:33 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-06-20 13:59:44 EDT; 49s ago
Main PID: 29639 (crond)
CGroup: /system.slice/crond.service
└─29639 /usr/sbin/crond -n
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 12% if used.)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (running with inotify support)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2019-06-20 14:00:33 EDT; 2s ago
Process: 29639 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
Main PID: 29639 (code=exited, status=0/SUCCESS)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 12% if used.)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (running with inotify support)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 14:00:33 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 14:00:33 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 14:00:35 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully
:: [ 14:01:16 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron2.log.30'
:: [ 14:01:16 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron2.log.30' (Expected 0, got 0)
:: [ 14:01:16 ] :: [ FAIL ] :: File 'cron2.log.30' should not contain '(root) PAM ERROR (Failure setting user credentials)'
:: [ 14:01:17 ] :: [ FAIL ] :: File 'cron2.log.30' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)'
:: [ 14:01:17 ] :: [ LOG ] :: Closing loop - FAIL detected!!!
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 3184s
:: Assertions: 246 good, 2 bad
:: RESULT: FAIL
NEW PASS:
cronie-1.4.11-23.el7
:: [ 16:59:04 ] :: [ BEGIN ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall'
authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored.
authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
:: [ 16:59:13 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-06-20 16:58:23 EDT; 50s ago
Main PID: 7265 (crond)
CGroup: /system.slice/crond.service
└─7265 /usr/sbin/crond -n
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 58% if used.)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (running with inotify support)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2019-06-20 16:59:13 EDT; 2s ago
Process: 7265 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
Main PID: 7265 (code=exited, status=0/SUCCESS)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 58% if used.)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (running with inotify support)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 16:59:13 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 16:59:13 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 16:59:15 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully
:: [ 16:59:56 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron.log.100'
:: [ 16:59:56 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron.log.100' (Expected 0, got 0)
:: [ 16:59:56 ] :: [ PASS ] :: File 'cron.log.100' should not contain '(root) PAM ERROR (Failure setting user credentials)'
:: [ 16:59:56 ] :: [ PASS ] :: File 'cron.log.100' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)'
:: [ 16:59:56 ] :: [ BEGIN ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall'
authconfig: Authentication module /usr/lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly.
authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
:: [ 17:00:06 ] :: [ PASS ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-06-20 16:59:15 EDT; 51s ago
Main PID: 7471 (crond)
CGroup: /system.slice/crond.service
└─7471 /usr/sbin/crond -n
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 68% if used.)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (running with inotify support)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2019-06-20 17:00:06 EDT; 2s ago
Process: 7471 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
Main PID: 7471 (code=exited, status=0/SUCCESS)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 68% if used.)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (running with inotify support)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 17:00:06 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 17:00:06 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 17:00:08 ] :: [ LOG ] :: rlServiceStart: Service crond started successfully
:: [ 17:00:49 ] :: [ BEGIN ] :: Running 'tail /var/log/cron > cron2.log.100'
:: [ 17:00:49 ] :: [ PASS ] :: Command 'tail /var/log/cron > cron2.log.100' (Expected 0, got 0)
:: [ 17:00:49 ] :: [ PASS ] :: File 'cron2.log.100' should not contain '(root) PAM ERROR (Failure setting user credentials)'
:: [ 17:00:49 ] :: [ PASS ] :: File 'cron2.log.100' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)'
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 10248s
:: Assertions: 808 good, 0 bad
:: RESULT: PASS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2041 |