Bug 1306383 - Fix for #1204864 breaks some PAM configs
Fix for #1204864 breaks some PAM configs
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig (Show other bugs)
All Linux
unspecified Severity low
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2016-02-10 12:02 EST by Ade Rixon
Modified: 2016-02-11 03:15 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-02-11 03:15:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ade Rixon 2016-02-10 12:02:35 EST
Description of problem:
In #1204864, authconfig was modified to change the PAM configuration when sssd was used so that only local users would be authenticated with pam_unix and only network users would be authenticated with sssd. However, we have a configuration in which user accounts are defined locally (in passwd) but passwords are authenticated against LDAP via sssd (i.e. in nsswitch.conf, sss lookup is enabled for shadow only, not passwd). This prevents any LDAP account from logging in, limiting it to only those with matching local accounts while retaining centralised password control.
The fix for #1204864 changes the control value for pam_unix from "sufficient" to "[success=done ignore=ignore default=die]", which appears to be equivalent to "requisite" in the legacy syntax. Hence pam_localuser detects that our users are local but when pam_unix fails to authenticate them (since they don't have a valid password locally, only in LDAP), the module aborts rather than proceeding to try pam_sss as before.

Version-Release number of selected component (if applicable):

How reproducible:
Our authentication setup is via:
/usr/sbin/authconfig --disableforcelegacy --enableldap --enableldapauth --ldapserver={{ ldap_uri }} --ldapbasedn={{ ldap_basedn }} --enableldaptls --enableldapstarttls --ldaploadcacert=file://{{ ldap_cacert_path }} --disablefingerprint --enableshadow --enablelocauthorize --update
The nsswitch.conf file is then edited to remove 'sss' from the passwd and group databases.

Steps to Reproduce:
1. Configure LDAP authentication via sssd as above using latest authconfig.
2. Attempt to login with password authentication or use sudo, etc.

Actual results:
Authentication fails with "Permission denied".

Expected results:
Authentication succeeds using LDAP password.

Additional info:
This configuration worked with authconfig prior to the above release (bar a spurious 'authentication failed' error from pam_unix prior to pam_sss succeeding). Changing the pam_unix control back to "sufficient" allows it to work again (but may have other undesirable effects?).
Comment 2 Tomas Mraz 2016-02-11 02:56:47 EST
Authconfig is not supposed to work for any special possible configuration that can be invented. I'm sorry but authconfig will not be modified to accommodate for your setup and you will have to modify the PAM configuration to suit your needs manually.
Comment 3 RHEL Product and Program Management 2016-02-11 03:15:58 EST
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.