Description of problem: I tried to configure my machine with my custom sssd.conf. I used authconfig to configure pam stack. (sss is already in nsswitch.conf) sh# authconfig --enablesssd --enablesssdauth --update Version-Release number of selected component (if applicable): authconfig-6.2.10-6.fc22.x86_64 How reproducible: Deterministic Steps to Reproduce: 1. authconfig --enablesssd --enablesssdauth --update grep -E "pam_(sss|unix)" /etc/pam.d/system-auth auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth sufficient pam_sss.so forward_pass account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok session required pam_unix.so session optional pam_sss.so Actual results: sh# grep -E "account.*pam_unix" /etc/pam.d/system-auth account required pam_unix.so Expected results: grep -E "account.*pam_unix" /etc/pam.d/system-auth account required pam_unix.so broken_shadow
Created attachment 1120774 [details] patch for upstream Attached patch should fix the issue.
I do not think what you propose is a correct configuration. At least before the account calls to pam_unix were working fine without the broken_shadow option. What does 'getent passwd <remote-account-name>' return for you?
sh$ getent passwd -s sss lslebodn lslebodn:x:20728:20728:Lukas Slebodnik:/home/lslebodn:/bin/bash sh$ grep -E "pam_(sss|unix)" /etc/pam.d/password-auth auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth sufficient pam_sss.so forward_pass account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok session required pam_unix.so session optional pam_sss.so sh$ ssh -l lslebodn localhost lslebodn@localhost's password: Connection closed by ::1 And here is related part of log file Feb 03 13:57:56 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed' Feb 03 13:58:02 host.example.test sshd[26339]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=lslebodn Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=success' Feb 03 13:58:02 host.example.test unix_chkpwd[26342]: could not obtain user info (lslebodn) Feb 03 13:58:02 host.example.test audit[26339]: USER_ACCT pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=failed' Feb 03 13:58:02 host.example.test sshd[26339]: Failed password for lslebodn from ::1 port 41440 ssh2 Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed' Feb 03 13:58:02 host.example.test sshd[26339]: fatal: Access denied for user lslebodn by PAM account configuration [preauth] As you can see authentication passed with sssd. There is just issue with account. If works fine If I comment out "account required pam_unix.so" or if I add broken_shadow to this line. BTW I did not call authconfig with --enableldapauth or --enablekrb5.
The problem is with the x in the passwd entry. SSSD should never put x there if it does not return proper shadow entry. And I suppose it does not do it in normal scenarios. Reassigning to SSSD for further investigation.
Ahh, I had configured option in sssd.conf which changed the default '*' to the 'x' for testing purposes. I had to comment out this line as part of other changes when I moved configuration from one machine to another. sh# wc -l /etc/sssd/sssd.conf 113 /etc/sssd/sssd.conf It works well after changing to the default (removing line from sssd.conf).