Bug 491366
| Summary: | authconfig breaks local authentication when ldap server is unavailable | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | donavan nelson <donavan> |
| Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE <qe-baseos-auto> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.5 | CC: | laurence.besson |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-03-23 12:03:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You must add --enablelocauthorize option to the authconfig call in the kickstart. |
Description of problem: When enabling ldap support with authconfig, the resulting system-auth-ac file is configured such that local users with passwords in /etc/shadow are unable to log into the system when no ldap server is available. Version-Release number of selected component (if applicable): authconfig-5.3.21-3.el5.x86_64 How reproducible: Steps to Reproduce: using a kickstart install -- during install use: authconfig --enableshadow --enablemd5 in %post useradd donavan -m -u 10000 -p '$1$nQxm/MaQ$DeMSwZ2eG5Hzl.rUayVFw.' authconfig --enableldap --enableldapauth --ldapbasedn="dc=4wx,dc=net" --ldapserver=ldap.4wx.net --update after install, yum update, and reboot, make the following changes in /etc/ldap.conf bind_timelimit 2 bind_policy soft with remote ldap server running ssh in using ldap credentials for user donavan, login works ssh in using shadow credentials for user donavan, login works shutdown remote ldap server ssh in using ldap credentials for user donavan, login fails (after timeout) ssh in using shadow credentials for user donavan, login fails add 'account sufficient pam_localuser.so' to /etc/pam.d/system-auth[-ac] remote ldap server still turned down ssh in using ldap credentials for user donavan, login fails (after timeout) ssh in using shadow credentials for user donavan, login succeeds Actual results: login without a working ldap server is not possible. Expected results: Login without ldap server is possible without manual hackery to /etc/pam.d/system-auth Additional info: When logging in without a running ldap server, the connection is immediately closed when using proper shadow credentials: donavan@proxy:~ >ssh -Y donavan.25.54 donavan.25.54's password: [ ldap password ] Permission denied, please try again. donavan.25.54's password: [shadow password ] Connection closed by 192.168.25.54 The broken system-auth[-ac]: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so The patched and working system-auth[-ac]: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so /var/log/secure log from the above scenario: Annotations are inside curly brackets. {ldap login ldap server running} Mar 20 11:27:39 dyn54 sshd[1199]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.242 user=donavan Mar 20 11:27:39 dyn54 sshd[1199]: Accepted password for donavan from 192.168.56.242 port 60741 ssh2 Mar 20 11:27:39 dyn54 sshd[1199]: pam_unix(sshd:session): session opened for user donavan by (uid=0) Mar 20 11:27:56 dyn54 sshd[1199]: pam_unix(sshd:session): session closed for user donavan {shadow login ldap server running} Mar 20 11:27:59 dyn54 sshd[1219]: Accepted password for donavan from 192.168.56.242 port 60742 ssh2 Mar 20 11:27:59 dyn54 sshd[1219]: pam_unix(sshd:session): session opened for user donavan by (uid=0) {ldap login ldap server NOT running} Mar 20 11:28:36 dyn54 sshd[1219]: pam_unix(sshd:session): session closed for user donavan Mar 20 11:28:42 dyn54 sshd[1239]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.242 user=donavan Mar 20 11:28:42 dyn54 sshd[1239]: pam_ldap: ldap_simple_bind Can't contact LDAP server Mar 20 11:28:44 dyn54 sshd[1239]: Failed password for donavan from 192.168.56.242 port 60743 ssh2 {shadow login ldap server NOT running} Mar 20 11:28:46 dyn54 sshd[1239]: pam_ldap: ldap_simple_bind Can't contact LDAP server Mar 20 11:28:46 dyn54 sshd[1239]: Failed password for donavan from 192.168.56.242 port 60743 ssh2 Mar 20 11:28:46 dyn54 sshd[1242]: fatal: Access denied for user donavan by PAM account configuration {ldap login ldap server NOT running, after system-auth[-ac] changes } Mar 20 11:32:54 dyn54 sshd[1244]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.242 user=donavan Mar 20 11:32:54 dyn54 sshd[1244]: pam_ldap: ldap_simple_bind Can't contact LDAP server Mar 20 11:32:56 dyn54 sshd[1244]: Failed password for donavan from 192.168.56.242 port 43278 ssh2 {shadow login ldap server NOT running, after system-auth[-ac] changes } Mar 20 11:33:01 dyn54 sshd[1244]: Accepted password for donavan from 192.168.56.242 port 43278 ssh2 Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: could not search LDAP server - Server is unavailable Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: could not search LDAP server - Server is unavailable Mar 20 11:33:01 dyn54 sshd[1244]: pam_unix(sshd:session): session opened for user donavan by (uid=0) Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: could not search LDAP server - Server is unavailable Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: could not search LDAP server - Server is unavailable {login is permitted using shadow credentials} donavan@dyn54:~ >id uid=10000(donavan) gid=10000(donavan) groups=10000(donavan)