Bug 753161 - no warning in syslog when remote authentication fails due to low uid
no warning in syslog when remote authentication fails due to low uid
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
16
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-11 08:53 EST by Dennis Gilmore
Modified: 2011-11-15 05:14 EST (History)
2 users (show)

See Also:
Fixed In Version: authconfig-6.1.16-3.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-15 05:14:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dennis Gilmore 2011-11-11 08:53:06 EST
Description of problem:
having installed a new f16 system i was unable to login, im connected to a freeipa server for auth. turned out it was because of the change to minimum uids of 1000 in f16. pam_unix auth failed but pam_sss auth was not attempted. there was no warning or logging to indicate that auth type was skipped.  it was being skipped because my uid is 504  after changing the miniums back to 500 i was able to log in. but spent a lot of time trying to debug something that i should have had a logged warning about that would have enabled me to debug and resolve the issue in minutes instead of hours.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Stephen Gallagher 2011-11-11 08:56:19 EST
I suggest that we might want to modify Fedora's copy of pam_unix.so so that if it receives an ID in the old range (500-999) we will print a warning in /var/log/secure that it may interact poorly with the default PAM configuration.
Comment 2 Tomas Mraz 2011-11-11 13:13:59 EST
I do not like such hack. But it should be possible to make it configurable with additional pam_succeed_if.so + pam_warn.so call.
Comment 3 Tomas Mraz 2011-11-15 04:27:19 EST
Hmm, actually the best way would be to just replace the quiet option of the auth pam_succeed_if.so line with quiet_success.

I'll do that in authconfig.

Note You need to log in before you can comment on or make changes to this bug.