Description of problem: The sssd.conf(5) man page documents the pam_response_filter as an integer configuration and then proceeds with instructions on how to configure the parameter with text. You may want to update the type to (string) instead. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: As seen in the man page of sssd.conf --- pam_response_filter (integer) A comma separated list of strings which allows to remove (filter) data sent by the PAM responder to pam_sss PAM module. There are different kind of responses sent to pam_sss e.g. messages displayed to the user or environment variables which should be set by pam_sss. While messages already can be controlled with the help of the pam_verbosity option this option allows to filter out other kind of responses as well. Currently the following filters are supported: ENV Do not send any environment variables to any service. ENV:var_name Do not send environment variable var_name to any service. ENV:var_name:service Do not send environment variable var_name to service. Default: not set Example: ENV:KRB5CCNAME:sudo-i ---
Upstream ticket: https://github.com/SSSD/sssd/issues/5325
Pushed PR: https://github.com/SSSD/sssd/pull/5324 * `master` * b377253b7dfca1c1f87349d94d060424af615d45 - MAN: fix 'pam_responsive_filter' option type
Tested with ]# rpm -q sssd sssd-2.4.0-2.el8.x86_64 ]# man sssd.conf <snip> pam_response_filter (string) A comma separated list of strings which allows to remove (filter) data sent by the PAM responder to pam_sss PAM module. There are different kind of responses sent to pam_sss e.g. messages displayed to the user or environment variables which should be set by pam_sss. While messages already can be controlled with the help of the pam_verbosity option this option allows to filter out other kind of responses as well. Currently the following filters are supported: ENV Do not send any environment variables to any service. ENV:var_name Do not send environment variable var_name to any service. ENV:var_name:service Do not send environment variable var_name to service. Default: not set Example: ENV:KRB5CCNAME:sudo-i </snip> Marking verified/tested.
[root@auto-hv-01-guest01 ~]# rpm -q sssd sssd-2.4.0-2.el8.x86_64 [root@auto-hv-01-guest01 ~]# man sssd.conf | awk '/pam_response_filter/,/KRB5CCNAME:sudo-i/' pam_response_filter (string) A comma separated list of strings which allows to remove (filter) data sent by the PAM responder to pam_sss PAM module. There are different kind of responses sent to pam_sss e.g. messages displayed to the user or environment variables which should be set by pam_sss. While messages already can be controlled with the help of the pam_verbosity option this option allows to filter out other kind of responses as well. Currently the following filters are supported: ENV Do not send any environment variables to any service. ENV:var_name Do not send environment variable var_name to any service. ENV:var_name:service Do not send environment variable var_name to service. Default: not set Example: ENV:KRB5CCNAME:sudo-i
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1666