Bug 753161

Summary: no warning in syslog when remote authentication fails due to low uid
Product: [Fedora] Fedora Reporter: Dennis Gilmore <dennis>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: sgallagh, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authconfig-6.1.16-3.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-15 10:14:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dennis Gilmore 2011-11-11 13:53:06 UTC 
Description of problem:
having installed a new f16 system i was unable to login, im connected to a freeipa server for auth. turned out it was because of the change to minimum uids of 1000 in f16. pam_unix auth failed but pam_sss auth was not attempted. there was no warning or logging to indicate that auth type was skipped.  it was being skipped because my uid is 504  after changing the miniums back to 500 i was able to log in. but spent a lot of time trying to debug something that i should have had a logged warning about that would have enabled me to debug and resolve the issue in minutes instead of hours.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Stephen Gallagher 2011-11-11 13:56:19 UTC 
I suggest that we might want to modify Fedora's copy of pam_unix.so so that if it receives an ID in the old range (500-999) we will print a warning in /var/log/secure that it may interact poorly with the default PAM configuration.
Comment 2 Tomas Mraz 2011-11-11 18:13:59 UTC 
I do not like such hack. But it should be possible to make it configurable with additional pam_succeed_if.so + pam_warn.so call.
Comment 3 Tomas Mraz 2011-11-15 09:27:19 UTC 
Hmm, actually the best way would be to just replace the quiet option of the auth pam_succeed_if.so line with quiet_success.

I'll do that in authconfig.