Learn more about these different git repos.
Other Git URLs
FreeBSD's openpam doesn't have a built in way of ignoring an unknown user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module, like Linux's user_unknown=ignore tag), so there needs to be an ignore_unknown_user flag built in to the PAM module. This patch makes pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when ignore_unknown_user is passed in from the PAM config. FWIW, this is how pam_ldap works on FreeBSD with local accounts, too.
This patch allows us to keep pam_sss marked as required for the PAM "account" facility (to enforce HBAC rules) but still allow local users to log in.
Thanks a lot for the patch! It looks OK to me, builds fine and the intent looks fine as well. Can you send the patch to sssd-devel so other developers can take a look as well?
milestone: NEEDS_TRIAGE => SSSD 1.11.5
rhbz: => 0
Updated patch (0001-PAM-add-ignore_unknown_user-option.patch)
owner: somebody => jhrozek
owner: jhrozek => somebody
resolution: => fixed
status: new => closed
Lukas implemented additional improvement for cases when sssd is not running:
Metadata Update from @petef:
- Issue set to the milestone: SSSD 1.11.5
to comment on this ticket.