Red Hat Bugzilla – Bug 753161
no warning in syslog when remote authentication fails due to low uid
Last modified: 2011-11-15 05:14:44 EST
Description of problem:
having installed a new f16 system i was unable to login, im connected to a freeipa server for auth. turned out it was because of the change to minimum uids of 1000 in f16. pam_unix auth failed but pam_sss auth was not attempted. there was no warning or logging to indicate that auth type was skipped. it was being skipped because my uid is 504 after changing the miniums back to 500 i was able to log in. but spent a lot of time trying to debug something that i should have had a logged warning about that would have enabled me to debug and resolve the issue in minutes instead of hours.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I suggest that we might want to modify Fedora's copy of pam_unix.so so that if it receives an ID in the old range (500-999) we will print a warning in /var/log/secure that it may interact poorly with the default PAM configuration.
I do not like such hack. But it should be possible to make it configurable with additional pam_succeed_if.so + pam_warn.so call.
Hmm, actually the best way would be to just replace the quiet option of the auth pam_succeed_if.so line with quiet_success.
I'll do that in authconfig.