Bug 481656 - pam_succeed_if.so uid < 500 consistency problem
pam_succeed_if.so uid < 500 consistency problem
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: authconfig (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-26 16:36 EST by Dax Kelson
Modified: 2009-01-27 08:35 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-27 08:35:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2009-01-26 16:36:23 EST
Description of problem:

My system-auth has these auth lines (created by authconfig):

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

With this PAM configuration there is a behavioral oddity.

* If I have a regular user account with UID less than 500 whose password comes from /etc/{passwd,shadow}, or NIS, the user can login no problem.

* If I have a LDAP,Kerberos,SMB/Windbnd regular user account with a UID less than 500 then the user cannot login.

This is inconsistent, they should either both work or both fail.

In other words;

FAILS:
useradd -p "*K*" -u 303 userc  # using kerberos auth

WORKS:
useradd -u 303 userc
echo "passa" | passwd --stdin userc
Comment 1 Tomas Mraz 2009-01-27 08:35:32 EST
The accounts with uid < 500 are considered to be system accounts which should not be authenticated by the remote servers.

But don't worry authconfig already supports your request - simple 'authconfig --enablesysnetauth --update' will remove the pam_succeed_if line from the system-auth-ac.

Note You need to log in before you can comment on or make changes to this bug.