Learn more about these different git repos.
Other Git URLs
FreeBSD's openpam doesn't have a built in way of ignoring an unknown user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module, like Linux's user_unknown=ignore tag), so there needs to be an ignore_unknown_user flag built in to the PAM module. This patch makes pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when ignore_unknown_user is passed in from the PAM config. FWIW, this is how pam_ldap works on FreeBSD with local accounts, too.
This patch allows us to keep pam_sss marked as required for the PAM "account" facility (to enforce HBAC rules) but still allow local users to log in.
Thanks a lot for the patch! It looks OK to me, builds fine and the intent looks fine as well. Can you send the patch to sssd-devel so other developers can take a look as well?
milestone: NEEDS_TRIAGE => SSSD 1.11.5
rhbz: => 0
Updated patch (0001-PAM-add-ignore_unknown_user-option.patch)
owner: somebody => jhrozek
owner: jhrozek => somebody
resolution: => fixed
status: new => closed
Lukas implemented additional improvement for cases when sssd is not running:
Metadata Update from @petef:
- Issue set to the milestone: SSSD 1.11.5
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.