Bug 2231061

Summary: `realm join` Not Fully Compatible With `authselect`
Product: Red Hat Enterprise Linux 8 Reporter: Thomas Jones <redhat>
Component: realmdAssignee: Sumit Bose <sbose>
Status: NEW --- QA Contact: shridhar <sgadekar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.8CC: aboscatt, baljevicdu, long.lam, loren.gordon, redhat, sgadekar
Target Milestone: rcFlags: baljevicdu: needinfo? (baljevicdu)
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Jones 2023-08-10 12:18:47 UTC 
Description of problem:

Current hardening guidelines specify the presence of several PAM-related hardenings. Use of `realm join` to bind to an external, kerberized directory-service (in our case, Active Directory) requires the use of `authselect`. We're able to convert hardening guidance to using `authselect` within the default sssd profile except for the setting of the pam_lastlog.so's "session" definition with /etc/pam.d/postlogin to `required`. While we CAN configure the necessary change from `optional` to `required` by using a custom `authselect` profile, as soon as a `realm join` is performed, the custom-profile is de-selected in favor of the default `sssd` profile. 



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Spin up new system
2. Create a new authselect profile
3. Apply the custom authselect profile
4. Apply required hardenings to custom profile's files
5. Perform a `realm join` 

Actual results:

Find that some hardenings – particularly the customized pam_lastlog.so's session entry in the postlogin file – have been reverted because the in-use authselect profile has been changed to the vendor-shipped `sssd` profile

Expected results:

All hardenings remain as specified and that custom `authselect` profile is still in use.


Additional info:
Comment 1 DB 2023-08-14 02:14:34 UTC 
Hi,

I would like to support Thomas for this bug report.

In the past, I experienced similar kind of issues.

Regards,

Dusan Baljevic | Solution Delivery Specialist, Banking Systems
RESERVE BANK OF AUSTRALIA | 65 Martin Place, Sydney NSW 2000