#2232 [freebsd] pam_sss: add ignore_unknown_user option
Closed: Fixed None Opened 8 years ago by petef.

FreeBSD's openpam doesn't have a built in way of ignoring an unknown user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module, like Linux's user_unknown=ignore tag), so there needs to be an ignore_unknown_user flag built in to the PAM module. This patch makes pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when ignore_unknown_user is passed in from the PAM config. FWIW, this is how pam_ldap works on FreeBSD with local accounts, too.

This patch allows us to keep pam_sss marked as required for the PAM "account" facility (to enforce HBAC rules) but still allow local users to log in.

Thanks a lot for the patch! It looks OK to me, builds fine and the intent looks fine as well. Can you send the patch to sssd-devel so other developers can take a look as well?

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.5
rhbz: => 0

Updated patch (0001-PAM-add-ignore_unknown_user-option.patch)

owner: somebody => jhrozek

Fields changed

owner: jhrozek => somebody

Fields changed

resolution: => fixed
status: new => closed

Lukas implemented additional improvement for cases when sssd is not running:

Metadata Update from @petef:
- Issue set to the milestone: SSSD 1.11.5

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3274

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.