Bug 760107 - Wrong default configuration when using pam_sss.so
Wrong default configuration when using pam_sss.so
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-05 08:02 EST by Jan Zeleny
Modified: 2012-03-27 05:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-27 05:25:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
FedoraHosted SSSD 1011 None None None Never

  None (edit)
Description Jan Zeleny 2011-12-05 08:02:41 EST
Description of problem:
When configuring PAM to use pam_sss.so, following parameters are used:

default=bad success=ok user_unknown=ignore

This causes error when SSSD daemon is not running and authinfo_unavail code is returned by pam_sss.so module.

The argument list of pam_sss.so should also contain authinfo_unavail=ignore to fix this issue.
Comment 1 Tomas Mraz 2011-12-05 08:32:42 EST
No, this would not be correct. Use the --enablelocauthorize option to achieve the same result. Perhaps we could make the --enablelocauthorize on by default.
Comment 2 Jan Zeleny 2011-12-05 08:51:17 EST
Thanks for looking into this. If setting it as "on" by default won't have any other side effects, I believe it's the right choice.
Comment 3 Tomas Mraz 2011-12-06 03:39:58 EST
Actually this option is already on by default in the current releases. Is there 'account sufficient pam_localuser.so'
line in the /etc/pam.d/system-auth before the account ... pam_sss.so line?
Comment 4 Marko Myllynen 2011-12-07 05:44:27 EST
(In reply to comment #3)
> Actually this option is already on by default in the current releases. Is there
> 'account sufficient pam_localuser.so'
> line in the /etc/pam.d/system-auth before the account ... pam_sss.so line?

Yes, there is, on both RHEL 6 and Fedora 16.

However, I'm wondering why having authinfo_unavail=ignore would be an incorrect solution for the cases like SSSD and Winbind where the daemon might be running for some reason? pam_localuser.so sounds unrelated to the case where both SSSD and Winbind are running on the same system.

This is related to bug 760109 where there's an issue with authconfig generated PAM configuration with SSSD+Winbind but it seems that it might be better fixed in Winbind not in authconfig.

Thanks.
Comment 5 Marko Myllynen 2011-12-07 05:45:35 EST
> where the daemon might be running for some reason

Obviously: "where the daemon might /not/ be running for some reason"
Comment 6 Tomas Mraz 2011-12-07 07:16:24 EST
Well there is albeit small race condition where an authentication might succeed and then the authorization would not be done due to the daemon stopping/crashing although in case it would be running it would reject the user.

Also the configuration with both sssd and winbind is really a borderline one and I'd expect users with such configurations to be able to adjust the configuration to their needs. Some might prefer more tight security and others availability.

Note You need to log in before you can comment on or make changes to this bug.