Bug 1304374 - Pam stack is not properly configured for sssd
Pam stack is not properly configured for sssd
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-03 07:44 EST by Lukas Slebodnik
Modified: 2016-02-22 09:03 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-03 08:40:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for upstream (1.65 KB, text/plain)
2016-02-03 07:47 EST, Lukas Slebodnik
no flags Details

  None (edit)
Description Lukas Slebodnik 2016-02-03 07:44:24 EST
Description of problem:
I tried to configure my machine with my custom sssd.conf.
I used authconfig to configure pam stack. (sss is already in nsswitch.conf)

sh# authconfig --enablesssd --enablesssdauth --update


Version-Release number of selected component (if applicable):
authconfig-6.2.10-6.fc22.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. authconfig --enablesssd --enablesssdauth --update

grep -E "pam_(sss|unix)" /etc/pam.d/system-auth
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so forward_pass
account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
session     required      pam_unix.so
session     optional      pam_sss.so

Actual results:
sh# grep -E "account.*pam_unix" /etc/pam.d/system-auth
account     required      pam_unix.so

Expected results:
grep -E "account.*pam_unix" /etc/pam.d/system-auth
account     required      pam_unix.so  broken_shadow
Comment 1 Lukas Slebodnik 2016-02-03 07:47 EST
Created attachment 1120774 [details]
patch for upstream

Attached patch should fix the issue.
Comment 2 Tomas Mraz 2016-02-03 07:51:21 EST
I do not think what you propose is a correct configuration. At least before the account calls to pam_unix were working fine without the broken_shadow option.

What does 'getent passwd <remote-account-name>' return for you?
Comment 3 Lukas Slebodnik 2016-02-03 08:03:53 EST
sh$ getent passwd -s sss lslebodn
lslebodn:x:20728:20728:Lukas Slebodnik:/home/lslebodn:/bin/bash

sh$ grep -E "pam_(sss|unix)" /etc/pam.d/password-auth
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so forward_pass
account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
session     required      pam_unix.so
session     optional      pam_sss.so


sh$ ssh -l lslebodn localhost
lslebodn@localhost's password: 
Connection closed by ::1


And here is related part of log file
Feb 03 13:57:56 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=lslebodn
Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=success'
Feb 03 13:58:02 host.example.test unix_chkpwd[26342]: could not obtain user info (lslebodn)
Feb 03 13:58:02 host.example.test audit[26339]: USER_ACCT pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="lslebodn" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: Failed password for lslebodn from ::1 port 41440 ssh2
Feb 03 13:58:02 host.example.test audit[26339]: USER_AUTH pid=26339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="lslebodn" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
Feb 03 13:58:02 host.example.test sshd[26339]: fatal: Access denied for user lslebodn by PAM account configuration [preauth]


As you can see authentication passed with sssd. There is just issue with account.

If works fine If I comment out "account     required      pam_unix.so" or if I add broken_shadow to this line.

BTW I did not call authconfig with --enableldapauth or --enablekrb5.
Comment 4 Tomas Mraz 2016-02-03 08:06:51 EST
The problem is with the x in the passwd entry. SSSD should never put x there if it does not return proper shadow entry. And I suppose it does not do it in normal scenarios.

Reassigning to SSSD for further investigation.
Comment 5 Lukas Slebodnik 2016-02-03 08:40:21 EST
Ahh,

I had configured option in sssd.conf which changed the default '*' to the 'x' for testing purposes. I had to comment out this line as part of other changes
when I moved configuration from one machine to another.

sh# wc -l /etc/sssd/sssd.conf
113 /etc/sssd/sssd.conf

It works well after changing to the default (removing line from sssd.conf).

Note You need to log in before you can comment on or make changes to this bug.