Red Hat Bugzilla – Bug 1167324
pam_sss domains option: User auth should fail when domains=<emtpy value>
Last modified: 2015-03-10 02:43:56 EDT
Description of problem: Set nothing to pam_sss option "domains=" in /etc/pam.d/password-auth-ac file. Try to authenticate a trusted user and authentication succeeds. Also, following message gets logged in /var/log/secure file: sshd[21815]: pam_sss(sshd:setcred): Missing argument to option domains. Ideally trusted user auth should fail as arguments to domains option are missing and it is not clear which restricted domain pam service should authenticate against. An alternate solution is to provide information in man page as to what happens when domains=<empty value>. Version-Release number of selected component (if applicable): sssd-1.12.2-12.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure SSSD client with LDAP domain and set empty value to "domains=" option in pam file. Edit the sssd.conf file as given below: [sssd] config_file_version = 2 domains = LDAP services = nss, pam sbus_timeout = 30 [pam] debug_level = 0xFFF0 pam_trusted_users = user1 pam_public_domains = all [domain/LDAP] id_provider = ldap auth_provider = ldap debug_level = 5 cache_credentials = FALSE ldap_uri = ldaps://seaspray.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/openldap/certs/server.pem ldap_search_base = dc=example,dc=com 2. Also, edit "auth" section of the /etc/pam.d/password-auth-ac in SSSD client as given below: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass domains= auth required pam_deny.so 3. Execute trusted user auth as given below: # ssh -l user1 localhost usr1@localhost's password: Last login: Mon Nov 24 20:12:07 2014 from localhost Could not chdir to home directory /home/usr1: No such file or directory id: cannot find name for group ID 11111 -sh-4.2$ logout Actual results: User auth successful with the following message in secure file: sshd[21815]: pam_sss(sshd:setcred): Missing argument to option domains. Expected results: Either user auth should fail with the above message OR Man page should be updated with relevant information as to which domain, PAM service is allowed to authenticate against when domains=<empty> Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/2516
* master: 134bff159119b0f62492133983ba637957e26fab
Verified the bug on SSSD Version: sssd-1.12.2-36.el7.x86_64 User auth fails as expected when domains is set with an empty value in the service pam file.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html