Bug 953116
| Summary: | sssd password change does not work for a newly create IPA user | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Patrik Kis <pkis> |
| Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 19 | CC: | dahili.network, dpal, jhrozek, pbrezina, sbose, sgallagh, ssorce, stefw, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-25 14:18:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 918092 | ||
|
Description
Patrik Kis
2013-04-17 11:57:50 UTC
I debugged the issue with Patrik in person and I think the bug was caused by changing the PAM return codes. Upstream ticket: https://fedorahosted.org/sssd/ticket/1882 The issue turned out to be misconfigured PAM stack. Sorry for the noise. password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok #password sufficient pam_sss.so use_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so The use_first_pass option was extra. I'm not a PAM expert, but it seems to be that use_first_pass is not correct there, even according to man pam_unix(8) and the pam_cracklib example listed there. The PAM config was generated by authconfig so I'll reassign the bug there. The use_first_pass (if implemented as in other modules) should be really harmless there. What semantics the use_first_pass has in pam_sss.so? The same as pam_unix "The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access." Since neither pam_pwquality nor pam_unix will ask for a password during the PAM_PRELIM_CHECK run pam_sss will not find any password with pam_get_item() and must fail because use_first_pass does not allow pam_sss to request the password on it's own. Ah, you're right I forgot that pam_unix won't ask for old password if there is no such entry in /etc/passwd. authconfig-6.2.6-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/authconfig-6.2.6-2.fc19 Package authconfig-6.2.6-2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing authconfig-6.2.6-2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6098/authconfig-6.2.6-2.fc19 then log in and leave karma (feedback). authconfig-6.2.6-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. To day i newly installed Centos 6.5 and i have same bug useradd erik root@0 ~ # su erik id: cannot find name for group ID 500 id: cannot find name for user ID 500 root@0 ~ # userdel erik root@0 ~ # useradd erik useradd: warning: the home directory already exists. Not copying any file from skel directory into it. Creating mailbox file: File exists root@0 ~ # su oguz id: cannot find name for group ID 500 id: cannot find name for user ID 500 I have no name!@0 /root $ cd I have no name!@0 ~ $ I have no name!@0 ~ $ pwd /home/erik I have no name!@0 ~ $ passwd Changing password for user erik. Changing password for erik. (current) UNIX password: passwd: Authentication token manipulation error any answer? This is log of problem May 11 11:12:48 0 useradd[8382]: new user: name=erik, UID=500, GID=500, home=/home/erik, shell=/bin/bash May 11 11:13:39 0 su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory May 11 11:13:39 0 su: PAM adding faulty module: /lib64/security/pam_fprintd.so May 11 11:13:39 0 su: pam_unix(su:session): session opened for user erik by root(uid=0) May 11 11:15:09 0 passwd: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory May 11 11:15:09 0 passwd: PAM adding faulty module: /lib64/security/pam_fprintd.so May 11 11:15:15 0 passwd: pam_unix(passwd:chauthtok): authentication failure; logname=root uid=500 euid=0 tty=pts/0 ruser= rhost= user=erik (In reply to dahili from comment #11) > This is log of problem > > May 11 11:12:48 0 useradd[8382]: new user: name=erik, UID=500, GID=500, > home=/home/erik, shell=/bin/bash > May 11 11:13:39 0 su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): > /lib64/security/pam_fprintd.so: cannot open shared object file: No such file > or directory > May 11 11:13:39 0 su: PAM adding faulty module: > /lib64/security/pam_fprintd.so > May 11 11:13:39 0 su: pam_unix(su:session): session opened for user erik by > root(uid=0) > May 11 11:15:09 0 passwd: PAM unable to > dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: > cannot open shared object file: No such file or directory > May 11 11:15:09 0 passwd: PAM adding faulty module: > /lib64/security/pam_fprintd.so > May 11 11:15:15 0 passwd: pam_unix(passwd:chauthtok): authentication > failure; logname=root uid=500 euid=0 tty=pts/0 ruser= rhost= user=erik This log has nothing to do with SSSD or IPA. You are adding a local user to the box and PAM stack does not even show SSSD as a module being involved. |