Bug 1815584
| Summary: | id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | sssd | Assignee: | Pavel Březina <pbrezina> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.2 | CC: | aborah, atikhono, grajaiya, jhrozek, lslebodn, mniranja, mupadhye, mzidek, pbrezina, sbose, sgoveas, thalman, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.3.0-4.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:04:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1842946 | ||
I think we can do the following: 1. (required bugfix) Make a list of proxy lib names that we know are local and should use 'x' (instead of '*') in the output 2. (optional RFE) Add a new option to proxy provider, something like proxy_use_shadow = True/False , which would to be set to True by default for libs from list identified in step 1 and False otherwise. People could override the default setting in sssd.conf using this option if needed. This should be relatively easy to implement. Michal Upstream ticket: https://pagure.io/SSSD/sssd/issue/4174 Upstream PR: https://github.com/SSSD/sssd/pull/1016 * `master`
* ae5a2cdccadae3de29680466c05637b51b113147 - proxy: set pwfield to x for files library
Upstream PR: https://github.com/SSSD/sssd/pull/5221 Pushed PR: https://github.com/SSSD/sssd/pull/5221 * `master` * ffb9ad1331ac5f5d9bf237666aff19f1def77871 - proxy: use 'x' as default pwfield only for sssd-shadowutils target Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4569 |
Description of problem: The sssd.conf(5) says: pwfield (string) The value that NSS operations that return users or groups will return for the “password” field. This option can also be set per-domain. Default: “*” (remote domains) or “x” (the files domain) However, for users returned via proxy files id_provider, * is returned. That in turn breaks PAM authentication. Version-Release number of selected component (if applicable): sssd-2.2.3-20.el8.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have system without SSSD configured and started. 2. Set password for user test: passwd test 3. Test that PAM authentication or user test works: echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate If you don't like to use pamtester from EPEL, just use ssh test@localhost. 4. getent passwd test, check that the output is test:x:1000:1000::/home/test:/bin/bash 5. Configure SSSD, create /etc/sssd/sssd.conf with: [sssd] domains = PROXY_PROXY services = nss [domain/PROXY_PROXY] id_provider = proxy proxy_lib_name = files proxy_pam_target = sssd-shadowutils 6. chmod 600 /etc/sssd/sssd.conf or SSSD refuses to start. 7. systemctl restart sssd 8. getent passwd test 9. echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate Actual results: test:*:1000:1000::/home/test:/bin/bash Password: pamtester: Authentication failure Expected results: test:x:1000:1000::/home/test:/bin/bash Password: pamtester: successfully authenticated Additional info: It is possible to force the expected behaviour by adding line pwfield = x to the [domain/...] section. But SSSD should obey what it says in the man page, and it should not as easily break PAM authentication of unrelated services.