View Issue Details

IDProjectCategoryView StatusLast Update
0010328CentOS-7authconfigpublic2016-05-26 12:43
Reportersidrew Assigned To 
Status newResolutionopen 
Product Version7.2.1511 
Summary0010328: authconfig creates invalid PAM system-auth-ac and password-auth-ac auth configuration for
Descriptionauthconfig seems to be creating an invalid configuration for system-auth-ac and password-auth-ac in that the auth line for seems to be preventing PAM from attempting other modules. How this manifests is that when I try to login using a user that has no local password and is AD authenticated, I can see in /var/log/secure that pam_unix is called... and when that fails... the authentication conversation is over... I never see anything for pam_sss in the logs.

I am using realmd to join an AD domain, which calls authconfig to do the work. Regardless, if I run the command that the realm command creates, the same invalid PAM configuration is created.

The realm command calls this authconfig line:

authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart

... which creates this password-auth-ac file:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth [default=1 success=ok]
auth [success=done ignore=ignore default=die] nullok try_first_pass
auth requisite uid >= 1000 quiet_success
auth sufficient forward_pass
auth required

account required
account sufficient
account sufficient uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore]
account required

password requisite try_first_pass local_users_only retry=3 authtok_type=
password sufficient md5 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
-session optional
session optional umask=0077
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional

The version of authconfig in 7.1-1503 created a different auth stack:

--- system-auth-ac 2016-02-05 14:09:32.000000000 -0600
+++ system-auth-ac.bork 2016-02-05 14:26:12.582640002 -0600
@@ -2,9 +2,10 @@
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth required
-auth sufficient nullok try_first_pass
+auth [default=1 success=ok]
+auth [success=done ignore=ignore default=die] nullok try_first_pass
 auth requisite uid >= 1000 quiet_success
-auth sufficient use_first_pass
+auth sufficient forward_pass
 auth required

... and if I replace the password-auth-ac with one from a 7.1-1503 system... it magically works again... so, I'm not exactly sure what's going on with this.
Steps To Reproduce1) Install 7.2.1511
2) Join AD realm
3) Authentication is borked.
TagsNo tags attached.




2016-05-26 12:43

reporter   ~0026691

Pam stack change should not cause any problem for you.
It works for me for local user and for sssd users.

It might be an issue in sssd.
I would recommend to follow sssd wiki

Issue History

Date Modified Username Field Change
2016-02-05 20:50 sidrew New Issue
2016-05-26 12:43 lslebodn Note Added: 0026691