Bug 1254023 - pam authentication fails for accounts in both passwd and IPA
pam authentication fails for accounts in both passwd and IPA
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam (Show other bugs)
7.1
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-16 17:59 EDT by Brian J. Murrell
Modified: 2015-08-25 03:42 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-25 03:42:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brian J. Murrell 2015-08-16 17:59:22 EDT
Description of problem:
If an account is in both the local /etc/{passwd,shadow} files and in IPA when accessed with sssd, authentication will fail when pam_unix is stacked on top of pam_sss.

Version-Release number of selected component (if applicable):
pam-1.1.8-12.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Create a local account (/etc/{passwd,shadow}
2. Install IPA server on the same machine
3. Using a non-privileged account, try to use a PAM authenticating tool such as /usr/lib64/squid/basic_pam_auth from the squid package to authenticate the local account

Actual results:
Authentication fails

Expected results:
Authentication should succeed

Additional info:

# head -8 /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

Now, if you rename the local account and try the authentication it will succeed.  But it should succeed regardless since in the above pam stack, the pam_unix.so might fail, but the pam_sss following it being sufficient should allow the authentication to succeed.
Comment 2 Tomas Mraz 2015-08-24 09:13:40 EDT
Is the uid >= 1000? And are you sure, the failure is in the pam_authenticate() call and not in the pam_acct_mgmt call?
Comment 3 Brian J. Murrell 2015-08-24 09:26:21 EDT
(In reply to Tomas Mraz from comment #2)
> Is the uid >= 1000?

Yes.  It is 1001

> And are you sure, the failure is in the
> pam_authenticate() call and not in the pam_acct_mgmt call?

I don't really know.  This is what is in /var/log/secure when it fails:

Aug 24 09:25:17 server unix_chkpwd[9426]: check pass; user unknown
Aug 24 09:25:17 server unix_chkpwd[9427]: check pass; user unknown
Aug 24 09:25:17 server unix_chkpwd[9427]: password check failed for user (brian)
Aug 24 09:25:17 server basic_pam_auth: pam_unix(squid:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=brian
Aug 24 09:25:20 server basic_pam_auth: pam_sss(squid:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=brian
Aug 24 09:25:20 server unix_chkpwd[9429]: could not obtain user info (brian)
Comment 4 Tomas Mraz 2015-08-24 10:39:25 EDT
I do not think there is any problem with the authentication - this is normal. You need to properly configure pam to ignore the pam_unix result in account. Or run the basic_auth_pam with -o option.
Comment 5 Brian J. Murrell 2015-08-24 14:06:29 EDT
(In reply to Tomas Mraz from comment #4)
> I do not think there is any problem with the authentication - this is
> normal. You need to properly configure pam to ignore the pam_unix result in
> account. Or run the basic_auth_pam with -o option.

So the bigger picture here is what else is going to fail because of pam_unix in account?

Sure, basic_auth_pam has an option that effectively works around the problem, but surely something else is going to get tripped up trying to do this pam_unix in account isn't it?
Comment 6 Tomas Mraz 2015-08-25 03:42:57 EDT
I am not sure what you're asking here about. You basically have a misconfiguration - conflicting account entries in local passwd/shadow and server is something that can always bring problems. You can workaround these problems with fine tunning of the pam stack configuration but you cannot expect such configuration to work flawlessly without such fine tunning, because in general this fine tunning can break other expectations.

Note You need to log in before you can comment on or make changes to this bug.