Bug 760107

Summary: Wrong default configuration when using pam_sss.so
Product: [Fedora] Fedora Reporter: Jan Zeleny <jzeleny>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: myllynen, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 09:25:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Zeleny 2011-12-05 13:02:41 UTC 
Description of problem:
When configuring PAM to use pam_sss.so, following parameters are used:

default=bad success=ok user_unknown=ignore

This causes error when SSSD daemon is not running and authinfo_unavail code is returned by pam_sss.so module.

The argument list of pam_sss.so should also contain authinfo_unavail=ignore to fix this issue.
Comment 1 Tomas Mraz 2011-12-05 13:32:42 UTC 
No, this would not be correct. Use the --enablelocauthorize option to achieve the same result. Perhaps we could make the --enablelocauthorize on by default.
Comment 2 Jan Zeleny 2011-12-05 13:51:17 UTC 
Thanks for looking into this. If setting it as "on" by default won't have any other side effects, I believe it's the right choice.
Comment 3 Tomas Mraz 2011-12-06 08:39:58 UTC 
Actually this option is already on by default in the current releases. Is there 'account sufficient pam_localuser.so'
line in the /etc/pam.d/system-auth before the account ... pam_sss.so line?
Comment 4 Marko Myllynen 2011-12-07 10:44:27 UTC 
(In reply to comment #3)
> Actually this option is already on by default in the current releases. Is there
> 'account sufficient pam_localuser.so'
> line in the /etc/pam.d/system-auth before the account ... pam_sss.so line?

Yes, there is, on both RHEL 6 and Fedora 16.

However, I'm wondering why having authinfo_unavail=ignore would be an incorrect solution for the cases like SSSD and Winbind where the daemon might be running for some reason? pam_localuser.so sounds unrelated to the case where both SSSD and Winbind are running on the same system.

This is related to bug 760109 where there's an issue with authconfig generated PAM configuration with SSSD+Winbind but it seems that it might be better fixed in Winbind not in authconfig.

Thanks.
Comment 5 Marko Myllynen 2011-12-07 10:45:35 UTC 
> where the daemon might be running for some reason

Obviously: "where the daemon might /not/ be running for some reason"
Comment 6 Tomas Mraz 2011-12-07 12:16:24 UTC 
Well there is albeit small race condition where an authentication might succeed and then the authorization would not be done due to the daemon stopping/crashing although in case it would be running it would reject the user.

Also the configuration with both sssd and winbind is really a borderline one and I'd expect users with such configurations to be able to adjust the configuration to their needs. Some might prefer more tight security and others availability.