1306383 – Fix for #1204864 breaks some PAM configs

Bug 1306383 - Fix for #1204864 breaks some PAM configs

Summary: Fix for #1204864 breaks some PAM configs

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	authconfig
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-10 17:02 UTC by Ade Rixon
Modified:	2016-02-11 08:15 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-11 08:15:58 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ade Rixon 2016-02-10 17:02:35 UTC

Description of problem:
In #1204864, authconfig was modified to change the PAM configuration when sssd was used so that only local users would be authenticated with pam_unix and only network users would be authenticated with sssd. However, we have a configuration in which user accounts are defined locally (in passwd) but passwords are authenticated against LDAP via sssd (i.e. in nsswitch.conf, sss lookup is enabled for shadow only, not passwd). This prevents any LDAP account from logging in, limiting it to only those with matching local accounts while retaining centralised password control.
The fix for #1204864 changes the control value for pam_unix from "sufficient" to "[success=done ignore=ignore default=die]", which appears to be equivalent to "requisite" in the legacy syntax. Hence pam_localuser detects that our users are local but when pam_unix fails to authenticate them (since they don't have a valid password locally, only in LDAP), the module aborts rather than proceeding to try pam_sss as before.

Version-Release number of selected component (if applicable):
6.2.8-10

How reproducible:
Our authentication setup is via:
/usr/sbin/authconfig --disableforcelegacy --enableldap --enableldapauth --ldapserver={{ ldap_uri }} --ldapbasedn={{ ldap_basedn }} --enableldaptls --enableldapstarttls --ldaploadcacert=file://{{ ldap_cacert_path }} --disablefingerprint --enableshadow --enablelocauthorize --update
The nsswitch.conf file is then edited to remove 'sss' from the passwd and group databases.

Steps to Reproduce:
1. Configure LDAP authentication via sssd as above using latest authconfig.
2. Attempt to login with password authentication or use sudo, etc.
3.

Actual results:
Authentication fails with "Permission denied".

Expected results:
Authentication succeeds using LDAP password.

Additional info:
This configuration worked with authconfig prior to the above release (bar a spurious 'authentication failed' error from pam_unix prior to pam_sss succeeding). Changing the pam_unix control back to "sufficient" allows it to work again (but may have other undesirable effects?).

Comment 2 Tomas Mraz 2016-02-11 07:56:47 UTC

Authconfig is not supposed to work for any special possible configuration that can be invented. I'm sorry but authconfig will not be modified to accommodate for your setup and you will have to modify the PAM configuration to suit your needs manually.

Comment 3 RHEL Program Management 2016-02-11 08:15:58 UTC

Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.