1306383 – Fix for #1204864 breaks some PAM configs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1306383 - Fix for #1204864 breaks some PAM configs

Summary: Fix for #1204864 breaks some PAM configs

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	authconfig
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-10 17:02 UTC by Ade Rixon
Modified:	2016-02-11 08:15 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-11 08:15:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ade Rixon 2016-02-10 17:02:35 UTC

Description of problem:
In #1204864, authconfig was modified to change the PAM configuration when sssd was used so that only local users would be authenticated with pam_unix and only network users would be authenticated with sssd. However, we have a configuration in which user accounts are defined locally (in passwd) but passwords are authenticated against LDAP via sssd (i.e. in nsswitch.conf, sss lookup is enabled for shadow only, not passwd). This prevents any LDAP account from logging in, limiting it to only those with matching local accounts while retaining centralised password control.
The fix for #1204864 changes the control value for pam_unix from "sufficient" to "[success=done ignore=ignore default=die]", which appears to be equivalent to "requisite" in the legacy syntax. Hence pam_localuser detects that our users are local but when pam_unix fails to authenticate them (since they don't have a valid password locally, only in LDAP), the module aborts rather than proceeding to try pam_sss as before.

Version-Release number of selected component (if applicable):
6.2.8-10

How reproducible:
Our authentication setup is via:
/usr/sbin/authconfig --disableforcelegacy --enableldap --enableldapauth --ldapserver={{ ldap_uri }} --ldapbasedn={{ ldap_basedn }} --enableldaptls --enableldapstarttls --ldaploadcacert=file://{{ ldap_cacert_path }} --disablefingerprint --enableshadow --enablelocauthorize --update
The nsswitch.conf file is then edited to remove 'sss' from the passwd and group databases.

Steps to Reproduce:
1. Configure LDAP authentication via sssd as above using latest authconfig.
2. Attempt to login with password authentication or use sudo, etc.
3.

Actual results:
Authentication fails with "Permission denied".

Expected results:
Authentication succeeds using LDAP password.

Additional info:
This configuration worked with authconfig prior to the above release (bar a spurious 'authentication failed' error from pam_unix prior to pam_sss succeeding). Changing the pam_unix control back to "sufficient" allows it to work again (but may have other undesirable effects?).

Comment 2 Tomas Mraz 2016-02-11 07:56:47 UTC

Authconfig is not supposed to work for any special possible configuration that can be invented. I'm sorry but authconfig will not be modified to accommodate for your setup and you will have to modify the PAM configuration to suit your needs manually.

Comment 3 RHEL Program Management 2016-02-11 08:15:58 UTC

Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.