1304374 – Pam stack is not properly configured for sssd

Bug 1304374 - Pam stack is not properly configured for sssd

Summary: Pam stack is not properly configured for sssd

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Hrozek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-03 12:44 UTC by Lukas Slebodnik
Modified:	2016-02-22 14:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-03 13:40:21 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch for upstream (1.65 KB, text/plain) 2016-02-03 12:47 UTC, Lukas Slebodnik	no flags	Details
View All

Description Lukas Slebodnik 2016-02-03 12:44:24 UTC

Description of problem:
I tried to configure my machine with my custom sssd.conf.
I used authconfig to configure pam stack. (sss is already in nsswitch.conf)

sh# authconfig --enablesssd --enablesssdauth --update


Version-Release number of selected component (if applicable):
authconfig-6.2.10-6.fc22.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. authconfig --enablesssd --enablesssdauth --update

grep -E "pam_(sss|unix)" /etc/pam.d/system-auth
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so forward_pass
account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
session     required      pam_unix.so
session     optional      pam_sss.so

Actual results:
sh# grep -E "account.*pam_unix" /etc/pam.d/system-auth
account     required      pam_unix.so

Expected results:
grep -E "account.*pam_unix" /etc/pam.d/system-auth
account     required      pam_unix.so  broken_shadow

Comment 1 Lukas Slebodnik 2016-02-03 12:47:45 UTC

Created attachment 1120774 [details]
patch for upstream

Attached patch should fix the issue.

Comment 2 Tomas Mraz 2016-02-03 12:51:21 UTC

I do not think what you propose is a correct configuration. At least before the account calls to pam_unix were working fine without the broken_shadow option.

What does 'getent passwd <remote-account-name>' return for you?

Comment 3 Lukas Slebodnik 2016-02-03 13:03:53 UTC

sh$ getent passwd -s sss lslebodn
lslebodn:x:20728:20728:Lukas Slebodnik:/home/lslebodn:/bin/bash

sh$ grep -E "pam_(sss|unix)" /etc/pam.d/password-auth
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so forward_pass
account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
session     required      pam_unix.so
session     optional      pam_sss.so


sh$ ssh -l lslebodn localhost
lslebodn@localhost's password: 
Connection closed by ::1


And here is related part of log file
Feb 03 13:57:56 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=lslebodn
Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=success'
Feb 03 13:58:02 host.example.test unix_chkpwd[26342]: could not obtain user info (lslebodn)
Feb 03 13:58:02 host.example.test audit[26339]: USER_ACCT pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: Failed password for lslebodn from ::1 port 41440 ssh2
Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: fatal: Access denied for user lslebodn by PAM account configuration [preauth]


As you can see authentication passed with sssd. There is just issue with account.

If works fine If I comment out "account     required      pam_unix.so" or if I add broken_shadow to this line.

BTW I did not call authconfig with --enableldapauth or --enablekrb5.

Comment 4 Tomas Mraz 2016-02-03 13:06:51 UTC

The problem is with the x in the passwd entry. SSSD should never put x there if it does not return proper shadow entry. And I suppose it does not do it in normal scenarios.

Reassigning to SSSD for further investigation.

Comment 5 Lukas Slebodnik 2016-02-03 13:40:21 UTC

Ahh,

I had configured option in sssd.conf which changed the default '*' to the 'x' for testing purposes. I had to comment out this line as part of other changes
when I moved configuration from one machine to another.

sh# wc -l /etc/sssd/sssd.conf
113 /etc/sssd/sssd.conf

It works well after changing to the default (removing line from sssd.conf).

Note You need to log in before you can comment on or make changes to this bug.