Bug 481656 - pam_succeed_if.so uid < 500 consistency problem
Summary: pam_succeed_if.so uid < 500 consistency problem
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: authconfig
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-26 21:36 UTC by Dax Kelson
Modified: 2009-01-27 13:35 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-27 13:35:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Dax Kelson 2009-01-26 21:36:23 UTC 
Description of problem:

My system-auth has these auth lines (created by authconfig):

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

With this PAM configuration there is a behavioral oddity.

* If I have a regular user account with UID less than 500 whose password comes from /etc/{passwd,shadow}, or NIS, the user can login no problem.

* If I have a LDAP,Kerberos,SMB/Windbnd regular user account with a UID less than 500 then the user cannot login.

This is inconsistent, they should either both work or both fail.

In other words;

FAILS:
useradd -p "*K*" -u 303 userc  # using kerberos auth

WORKS:
useradd -u 303 userc
echo "passa" | passwd --stdin userc
Comment 1 Tomas Mraz 2009-01-27 13:35:32 UTC 
The accounts with uid < 500 are considered to be system accounts which should not be authenticated by the remote servers.

But don't worry authconfig already supports your request - simple 'authconfig --enablesysnetauth --update' will remove the pam_succeed_if line from the system-auth-ac.
Note You need to log in before you can comment on or make changes to this bug.