Red Hat Bugzilla – Bug 552542
authconfig does not add broken_shadow parameter with SSSD
Last modified: 2010-01-13 12:28:26 EST
Description of problem:
When configuring system authentication with authconfig-6.0.0-2 on Fedora 12 and using SSSD for remote authentication the "broken_shadow" parameter is missing:
account required pam_unix.so
This won't let any users authenticated via SSSD in, one needs to have:
account required pam_unix.so broken_shadow
After adding the parameter remotely authenticated users can log in.
That might actually mean that there is a bug in nss_sss module. What idendtity provider do you have configured and what 'getent passwd <username-provided-by-sssd>' prints?
I for one have an LDAP identity provider:
getent passwd sgallagh
Stephen but for such passwd entry the pam_unix module should never require the broken_shadow option. Does it really not work for you without the option?
I think there was a bit confusion while testing with sssd-0.7 and later versions.
With sssd-0.7 one gets :x: but with sssd-1.0 one gets :*:. So if broken_shadow is not needed with :*: then this is should not be an issue with latest sssd versions. (Unfortunately I cannot verify this at the moment due to other issues.)
OK, so please verify that it works fine as soon as you are able to do it.
I'll leave the bug open for now.
I can now confirm that with 1.0 one gets :*: and also that the broken_shadow parameter is unneeded for pam_unix.so (ie, authconfig does the right thing).
Closing, not really an issue.