RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication
Summary: id_provider = proxy proxy_lib_name = files returns * in password field, break...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Pavel Březina
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 1842946
TreeView+ depends on / blocked
 
Reported: 2020-03-20 16:05 UTC by Jan Pazdziora
Modified: 2020-11-04 02:08 UTC (History)
13 users (show)

Fixed In Version: sssd-2.3.0-4.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 02:04:37 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5129 0 None closed id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication 2020-12-16 01:00:38 UTC
Red Hat Product Errata RHBA-2020:4569 0 None None None 2020-11-04 02:05:06 UTC

Description Jan Pazdziora 2020-03-20 16:05:51 UTC
Description of problem:

The sssd.conf(5) says:

       pwfield (string)
           The value that NSS operations that return users or groups will return for the “password” field.

           This option can also be set per-domain.

           Default: “*” (remote domains) or “x” (the files domain)

However, for users returned via proxy files id_provider, * is returned. That in turn breaks PAM authentication.

Version-Release number of selected component (if applicable):

sssd-2.2.3-20.el8.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have system without SSSD configured and started.
2. Set password for user test: passwd test
3. Test that PAM authentication or user test works:
   echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate
   If you don't like to use pamtester from EPEL, just use ssh test@localhost.
4. getent passwd test, check that the output is
   test:x:1000:1000::/home/test:/bin/bash
5. Configure SSSD, create /etc/sssd/sssd.conf with:

[sssd]
 domains = PROXY_PROXY
 services = nss

[domain/PROXY_PROXY]
 id_provider = proxy
 proxy_lib_name = files
 proxy_pam_target = sssd-shadowutils

6. chmod 600 /etc/sssd/sssd.conf or SSSD refuses to start.
7. systemctl restart sssd
8. getent passwd test
9. echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate

Actual results:

test:*:1000:1000::/home/test:/bin/bash

Password: pamtester: Authentication failure

Expected results:

test:x:1000:1000::/home/test:/bin/bash

Password: pamtester: successfully authenticated

Additional info:

It is possible to force the expected behaviour by adding line

 pwfield = x

to the [domain/...] section. But SSSD should obey what it says in the man page, and it should not as easily break PAM authentication of unrelated services.

Comment 1 Michal Zidek 2020-03-20 16:22:23 UTC
I think we can do the following: 
1. (required bugfix) Make a list of proxy lib names that we know are local and should use 'x' (instead of '*') in the output
2. (optional RFE) Add a new option to proxy provider, something like proxy_use_shadow = True/False , which would to be set to True by default for libs from list identified in step 1 and False otherwise. People could override the default setting in sssd.conf using this option if needed.

This should be relatively easy to implement.

Michal

Comment 3 Pavel Březina 2020-03-31 11:50:26 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4174

Upstream PR:
https://github.com/SSSD/sssd/pull/1016

Comment 4 Pavel Březina 2020-04-06 10:04:56 UTC
* `master`
    * ae5a2cdccadae3de29680466c05637b51b113147 - proxy: set pwfield to x for files library

Comment 13 Pavel Březina 2020-06-26 10:11:32 UTC
Upstream PR:
https://github.com/SSSD/sssd/pull/5221

Comment 14 Pavel Březina 2020-06-29 10:12:51 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5221

* `master`
    * ffb9ad1331ac5f5d9bf237666aff19f1def77871 - proxy: use 'x' as default pwfield only for sssd-shadowutils target

Comment 18 errata-xmlrpc 2020-11-04 02:04:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4569


Note You need to log in before you can comment on or make changes to this bug.