RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1254023 - pam authentication fails for accounts in both passwd and IPA
Summary: pam authentication fails for accounts in both passwd and IPA
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam
Version: 7.1
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-16 21:59 UTC by Brian J. Murrell
Modified: 2015-08-25 07:42 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-25 07:42:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Brian J. Murrell 2015-08-16 21:59:22 UTC 
Description of problem:
If an account is in both the local /etc/{passwd,shadow} files and in IPA when accessed with sssd, authentication will fail when pam_unix is stacked on top of pam_sss.

Version-Release number of selected component (if applicable):
pam-1.1.8-12.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Create a local account (/etc/{passwd,shadow}
2. Install IPA server on the same machine
3. Using a non-privileged account, try to use a PAM authenticating tool such as /usr/lib64/squid/basic_pam_auth from the squid package to authenticate the local account

Actual results:
Authentication fails

Expected results:
Authentication should succeed

Additional info:

# head -8 /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

Now, if you rename the local account and try the authentication it will succeed.  But it should succeed regardless since in the above pam stack, the pam_unix.so might fail, but the pam_sss following it being sufficient should allow the authentication to succeed.
Comment 2 Tomas Mraz 2015-08-24 13:13:40 UTC 
Is the uid >= 1000? And are you sure, the failure is in the pam_authenticate() call and not in the pam_acct_mgmt call?
Comment 3 Brian J. Murrell 2015-08-24 13:26:21 UTC 
(In reply to Tomas Mraz from comment #2)
> Is the uid >= 1000?

Yes.  It is 1001

> And are you sure, the failure is in the
> pam_authenticate() call and not in the pam_acct_mgmt call?

I don't really know.  This is what is in /var/log/secure when it fails:

Aug 24 09:25:17 server unix_chkpwd[9426]: check pass; user unknown
Aug 24 09:25:17 server unix_chkpwd[9427]: check pass; user unknown
Aug 24 09:25:17 server unix_chkpwd[9427]: password check failed for user (brian)
Aug 24 09:25:17 server basic_pam_auth: pam_unix(squid:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=brian
Aug 24 09:25:20 server basic_pam_auth: pam_sss(squid:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=brian
Aug 24 09:25:20 server unix_chkpwd[9429]: could not obtain user info (brian)
Comment 4 Tomas Mraz 2015-08-24 14:39:25 UTC 
I do not think there is any problem with the authentication - this is normal. You need to properly configure pam to ignore the pam_unix result in account. Or run the basic_auth_pam with -o option.
Comment 5 Brian J. Murrell 2015-08-24 18:06:29 UTC 
(In reply to Tomas Mraz from comment #4)
> I do not think there is any problem with the authentication - this is
> normal. You need to properly configure pam to ignore the pam_unix result in
> account. Or run the basic_auth_pam with -o option.

So the bigger picture here is what else is going to fail because of pam_unix in account?

Sure, basic_auth_pam has an option that effectively works around the problem, but surely something else is going to get tripped up trying to do this pam_unix in account isn't it?
Comment 6 Tomas Mraz 2015-08-25 07:42:57 UTC 
I am not sure what you're asking here about. You basically have a misconfiguration - conflicting account entries in local passwd/shadow and server is something that can always bring problems. You can workaround these problems with fine tunning of the pam stack configuration but you cannot expect such configuration to work flawlessly without such fine tunning, because in general this fine tunning can break other expectations.
Note You need to log in before you can comment on or make changes to this bug.