Bug 491366 - authconfig breaks local authentication when ldap server is unavailable
authconfig breaks local authentication when ldap server is unavailable
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: authconfig (Show other bugs)
5.5
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-20 12:41 EDT by donavan nelson
Modified: 2009-12-15 08:53 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-23 08:03:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description donavan nelson 2009-03-20 12:41:22 EDT
Description of problem:

When enabling ldap support with authconfig, the resulting system-auth-ac file is configured such that local users with passwords in /etc/shadow are unable to log into the system when no ldap server is available.

Version-Release number of selected component (if applicable):

authconfig-5.3.21-3.el5.x86_64

How reproducible:


Steps to Reproduce:

using a kickstart install -- during install use:
authconfig --enableshadow --enablemd5

in %post
useradd donavan -m -u 10000 -p '$1$nQxm/MaQ$DeMSwZ2eG5Hzl.rUayVFw.'
authconfig --enableldap --enableldapauth --ldapbasedn="dc=4wx,dc=net" --ldapserver=ldap.4wx.net --update

after install, yum update, and reboot, make the following changes in /etc/ldap.conf

bind_timelimit 2
bind_policy soft

with remote ldap server running

ssh in using ldap credentials for user donavan, login works
ssh in using shadow credentials for user donavan, login works

shutdown remote ldap server

ssh in using ldap credentials for user donavan, login fails (after timeout)
ssh in using shadow credentials for user donavan, login fails

add 'account    sufficient   pam_localuser.so' to /etc/pam.d/system-auth[-ac]

remote ldap server still turned down

ssh in using ldap credentials for user donavan, login fails (after timeout)
ssh in using shadow credentials for user donavan, login succeeds
 
Actual results:

login without a working ldap server is not possible.

Expected results:

Login without ldap server is possible without manual hackery to /etc/pam.d/system-auth

Additional info:

When logging in without a running ldap server, the connection is immediately closed when using proper shadow credentials:

donavan@proxy:~ >ssh -Y donavan@192.168.25.54
donavan@192.168.25.54's password:       [ ldap password ]
Permission denied, please try again.
donavan@192.168.25.54's password:       [shadow password ]
Connection closed by 192.168.25.54

The broken system-auth[-ac]:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so


The patched and working system-auth[-ac]:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account    sufficient   pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so


/var/log/secure log from the above scenario:

Annotations are inside curly brackets.

{ldap login ldap server running}
Mar 20 11:27:39 dyn54 sshd[1199]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.242  user=donavan
Mar 20 11:27:39 dyn54 sshd[1199]: Accepted password for donavan from 192.168.56.242 port 60741 ssh2
Mar 20 11:27:39 dyn54 sshd[1199]: pam_unix(sshd:session): session opened for user donavan by (uid=0)
Mar 20 11:27:56 dyn54 sshd[1199]: pam_unix(sshd:session): session closed for user donavan

{shadow login ldap server running}
Mar 20 11:27:59 dyn54 sshd[1219]: Accepted password for donavan from 192.168.56.242 port 60742 ssh2
Mar 20 11:27:59 dyn54 sshd[1219]: pam_unix(sshd:session): session opened for user donavan by (uid=0)


{ldap login ldap server NOT running}
Mar 20 11:28:36 dyn54 sshd[1219]: pam_unix(sshd:session): session closed for user donavan
Mar 20 11:28:42 dyn54 sshd[1239]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.242  user=donavan
Mar 20 11:28:42 dyn54 sshd[1239]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Mar 20 11:28:44 dyn54 sshd[1239]: Failed password for donavan from 192.168.56.242 port 60743 ssh2

{shadow login ldap server NOT running}
Mar 20 11:28:46 dyn54 sshd[1239]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Mar 20 11:28:46 dyn54 sshd[1239]: Failed password for donavan from 192.168.56.242 port 60743 ssh2
Mar 20 11:28:46 dyn54 sshd[1242]: fatal: Access denied for user donavan by PAM account configuration

{ldap login ldap server NOT running, after system-auth[-ac] changes }
Mar 20 11:32:54 dyn54 sshd[1244]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.242  user=donavan
Mar 20 11:32:54 dyn54 sshd[1244]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Mar 20 11:32:56 dyn54 sshd[1244]: Failed password for donavan from 192.168.56.242 port 43278 ssh2

{shadow login ldap server NOT running, after system-auth[-ac] changes }
Mar 20 11:33:01 dyn54 sshd[1244]: Accepted password for donavan from 192.168.56.242 port 43278 ssh2
Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server
Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: could not search LDAP server - Server is unavailable
Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server
Mar 20 11:33:01 dyn54 sshd[1244]: nss_ldap: could not search LDAP server - Server is unavailable
Mar 20 11:33:01 dyn54 sshd[1244]: pam_unix(sshd:session): session opened for user donavan by (uid=0)
Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server
Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: could not search LDAP server - Server is unavailable
Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: failed to bind to LDAP server ldap://ldap.4wx.net/: Can't contact LDAP server
Mar 20 11:33:01 dyn54 sshd[1248]: nss_ldap: could not search LDAP server - Server is unavailable

{login is permitted using shadow credentials}
donavan@dyn54:~ >id
uid=10000(donavan) gid=10000(donavan) groups=10000(donavan)
Comment 1 Tomas Mraz 2009-03-23 08:03:07 EDT
You must add --enablelocauthorize option to the authconfig call in the kickstart.

Note You need to log in before you can comment on or make changes to this bug.