2018-01-18 07:48 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0010328CentOS-7authconfigpublic2016-05-26 12:43
Product Version7.2.1511 
Target VersionFixed in Version 
Summary0010328: authconfig creates invalid PAM system-auth-ac and password-auth-ac auth configuration for pam_unix.so
Descriptionauthconfig seems to be creating an invalid configuration for system-auth-ac and password-auth-ac in that the auth line for pam_unix.so seems to be preventing PAM from attempting other modules. How this manifests is that when I try to login using a user that has no local password and is AD authenticated, I can see in /var/log/secure that pam_unix is called... and when that fails... the authentication conversation is over... I never see anything for pam_sss in the logs.

I am using realmd to join an AD domain, which calls authconfig to do the work. Regardless, if I run the command that the realm command creates, the same invalid PAM configuration is created.

The realm command calls this authconfig line:

authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart

... which creates this password-auth-ac file:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

The version of authconfig in 7.1-1503 created a different auth stack:

--- system-auth-ac 2016-02-05 14:09:32.000000000 -0600
+++ system-auth-ac.bork 2016-02-05 14:26:12.582640002 -0600
@@ -2,9 +2,10 @@
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth required pam_env.so
-auth sufficient pam_unix.so nullok try_first_pass
+auth [default=1 success=ok] pam_localuser.so
+auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
-auth sufficient pam_sss.so use_first_pass
+auth sufficient pam_sss.so forward_pass
 auth required pam_deny.so

... and if I replace the password-auth-ac with one from a 7.1-1503 system... it magically works again... so, I'm not exactly sure what's going on with this.
Steps To Reproduce1) Install 7.2.1511
2) Join AD realm
3) Authentication is borked.
TagsNo tags attached.
Attached Files




lslebodn (reporter)

Pam stack change should not cause any problem for you.
It works for me for local user and for sssd users.

It might be an issue in sssd.
I would recommend to follow sssd wiki https://fedorahosted.org/sssd/wiki/Troubleshooting

-Issue History
Date Modified Username Field Change
2016-02-05 20:50 sidrew New Issue
2016-05-26 12:43 lslebodn Note Added: 0026691
+Issue History